HHVM 3.0 / Hack with Nginx cannot access file in directory with 770 permissions on Ubuntu 13.10 while having group membership

StackOverflow https://stackoverflow.com/questions/22749281

  •  24-06-2023
  •  | 
  •  

Question

I have nginx set up to use the HipHop VM version 3.0 in fast-cgi mode. Some facts:

  1. I'm running on Ubuntu 13.10
  2. The nginx and hhvm run as the user www-data.
  3. The user www-data is in the group fooers
  4. The server root for nginx is a directory /srv/foo with a single index.php file in it
  5. The group ownership of /srv/foo is the group fooers
  6. /srv/foo permissions are set to 770

When I try to view this page, I get a 404 not found, but no errors logged in either hhvm or nginx logs. However, if I change permissions to 775 on /srv/foo the page gets served by the hhvm and nginx perfectly as expected.

Also, if I change the default group for the www-data user to be the fooers group, it works with 770 permissions. It only seems to fail when it's not the default group for the user.

What's the issue?!?!? Does anyone know why the hhvm/nginx running as a user www-data with group access to a directory is unable to access when permissions are 770?

To confirm my sanity and ensure my groups and permissions are as I think they are, after starting services, I run

$> ps -aux

I see as expected an hhvm process and the nginx processes running as www-data:

www-data  3484 .... /usr/bin/hhvm --config /etc/hhvm/server.ini --user www-data --mode daemon -vPidFile=/var/run/hhvm/pid
www-data  3617 ... nginx: worker process

When I check the groups I see:

$> groups www-data
www-data : www-data fooers

When I check the directory, I can confirm 100% access to group and owner:

$> ls -al
total 16
drwxr-xr-x  5 root root   4096 Mar 30 15:57 .
drwxr-xr-x 22 root root   4096 Mar 30 11:52 ..
drwxrwx---  2 root fooers 4096 Mar 30 15:39 foo

If I check the contents of the file as the www-data user I am allowed in:

$> sudo -u www-data ls -al /srv/foo
total 12
drwxrwx--- 2 root fooers 4096 Mar 30 15:39 .
drwxr-xr-x 5 root root     4096 Mar 30 15:57 ..
-rw-rw-r-- 1 root fooers   38 Mar 30 15:39 index.php

If I try the above with a user not in the fooers group, it fails.

Here is my /etc/hhvm/server.ini:

; php options

pid = /var/run/hhvm/pid

; hhvm specific

hhvm.server.port = 9000
hhvm.server.type = fastcgi
hhvm.server.default_document = index.php
hhvm.log.level = Warning
hhvm.log.always_log_unhandled_exceptions = true
hhvm.log.runtime_error_reporting_level = 8191
hhvm.log.use_log_file = true
hhvm.log.file = /var/log/hhvm/error.log
hhvm.repo.central.path = /var/run/hhvm/hhvm.hhbc
hhvm.mysql.typed_results = false

I really hope this isn't something silly and obvious I overlooked...

Here is my nginx location block for the web root:

location ~ \.php$ {
    root /srv/foo
    fastcgi_keep_conn on;
    fastcgi_pass   127.0.0.1:9000;
    fastcgi_index  index.php;
    fastcgi_param  SCRIPT_FILENAME /srv/foo$fastcgi_script_name;
    include        fastcgi_params;
}
Was it helpful?

Solution 2

This appears to be a bug with HHVM. I've added a ticket to fix this in there project.

OTHER TIPS

Please try to change your config file, there is no SourceRoot in yours. Some of my confs are overriden by start parameters.

Have a look at them here: /usr/bin/hhvm --config /etc/hhvm/server.hdf --user www-data --mode daemon -vServer.Type=fastcgi -vServer.Port=9010

PidFile = /var/run/hhvm/pid

Server {
  Port = 82
  SourceRoot = /var/www/main/
  DefaultDocument = index.php
}

#AdminServer {
#    Port = 9088
#    ThreadCount = 1
#    Password = xxx
#}

Eval {
    Jit = true
    JitWarmupRequests = 5
}

Log {
  Level = Error
  AlwaysLogUnhandledExceptions = true
  RuntimeErrorReportingLevel = 8191
  UseLogFile = true
  UseSyslog = false
  File = /var/log/hhvm/error.log
  Access {
    * {
      File = /var/log/hhvm/access.log
      Format = %h %l %u % t \"%r\" %>s %b
    }
  }
}

#Repo {
#  Central {
#    Path = /var/run/hhvm.hhbc.sq3
#  }
#}

#include "/usr/share/hhvm/hdf/static.mime-types.hdf"
StaticFile {
  FilesMatch {
    * {
      pattern = .*\.(dll|exe)
      headers {
        * = Content-Disposition: attachment
      }
    }
  }
  Extensions : StaticMimeTypes
}

MySQL {
  TypedResults = false
}
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top