Php-fpm settings cannot be changed by domain owner

in the olden days, before moving to the php-fpm model – which now I believe is the only environment VirtualMin supports for Centos8/RedHat8 – when logged in as a admin owner, you could adjust certain PHP settings … these settings were stored in a domain specific php.ini file inside their local ETC directory tree and was owned by the domain owner.

After switching to php-fpm, as you will recall, the local php.ini file is no longer used, instead php adjustments must go into the domain specific config file inside /etc/php-fpm.d/ (note there is a different syntax in this config file VS php.ini)

As part of the core design of php-fpm, those config files define what unix socket, or tcp port will be used for the domain, and as such, any adverse changes can affect the entire Linux system instead of only the single domain. That is, when php-fpm restarts or reloads, one mistake in one config file will cause everything to stop working I believe.

When logged in as ROOT, of course I can adjust pretty much anything :slight_smile: – such as php memory, thru the VirtualMin PHP panel. But when logged in as the domain admin, I now cannot save my settings and instead receive this message

Failed to save resource limits : Failed to open /etc/php-fpm.d/1640874692165537.conf for writing : Permission denied

… as that config file is owned by root. If I change the file to be owned by the domain owner, then they CAN save any settings they desire, but the Edit Configuration Manually button is (still) available, and as such, would allow the domain owner to possibly break things such as the LISTEN directive — which as I mentioned above, could cripple the entire server.

Sorry if this has been hashed out before — should the php panel be more or less, the same regardless of the backend execution method (prefork/event …etc) – or should there be a different/limited display for the php-fpm environment?

I guess another way to say this — if the domain admin can see stuff and its implied they can adjust things, then shouldn’t those adjustments be permitted?

Somewhere in the apache panel, it has two buttons (paraphrasing) – View Config and Edit Config. So to allow the domain owner to update certain php settings, first have the php-fpm config file owned by the domain owner, then replace the Edit button with a View Config button, or have no button like that at all. Then the remainder of the settings on the panel should give the expected behavior.

ON THE assumption the Edit Configuration Manually button now gives the domain owner too much power :slight_smile:

Thoughts?

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.