ISPConfig 3 PHP Fatal Error after deb.sury.org PHP upgrade – IDS temp folder becomes read-only (syst

For anyone running into the same issue and scratching their heads:

Symptoms

After a PHP or system update (deb.sury.org packages), ISPConfig interface may fail with HTTP 500 errors.

Webserver error log shows:

Code:

PHP Fatal error: Uncaught InvalidArgumentException: Please make sure the folder '/usr/local/ispconfig/interface/lib/classes/IDS/../../../temp' is writable in Monitor.php

This resolves to:

Code:

/usr/local/ispconfig/interface/temp

Strace / logs indicate:

Code:

access("/usr/local/ispconfig/interface/lib/classes/IDS/../../../temp", W_OK) = -1 EROFS (Read-only file system)

Directory permissions appear correct:

Code:

drwxr-x--- ispconfig ispconfig /usr/local/ispconfig/interface/temp

Root cause

This is not a filesystem permission issue.

Recent deb.sury.org PHP-FPM packages enable stricter systemd sandboxing, typically:

• ProtectSystem=full

This makes parts of the filesystem read-only inside the PHP-FPM service context, including:

Code:

/usr/local/ispconfig/interface/temp

Even though it is writable on disk, systemd blocks write access at runtime.

Reproduction:

Code:

systemd-run --pty --property=ProtectSystem=full touch /usr/local/ispconfig/interface/temp/foo

Result:

Code:

Read-only file system

And proving that adding ReadWritePaths does work by running this successfully:

Code:

systemd-run --pty --property=ProtectSystem=full --property=ReadWritePaths=/usr/local/ispconfig/interface/temp touch /usr/local/ispconfig/interface/temp/foo

Fix

Add an explicit write exception for the ISPConfig temp directory.

Create or edit (systemctl edit php8.2-fpm):

Code:

/etc/systemd/system/php8.2-fpm.service.d/override.conf

Add:

Code:

[Service]
ReadWritePaths=/usr/local/ispconfig/interface/temp

Apply changes

Reload systemd and restart PHP-FPM (restart is required, not reload):

Code:

systemctl daemon-reload
systemctl restart php8.2-fpm

References

ProtectSystem documentation:
URL: https://linux-audit.com/systemd/settings/units/protectsystem/

Related ISPConfig discussion:
URL: https://forum.howtoforge.com/threads/ispconfig-error-500.93106/

 

thanks

 

@till have you noted this? Other than the suggested, I also noted that in the other thread it was resolved by an ISPConfig, so will ISPConfig have something built in to accommodate or prevent this occurrence in the future?

 

Thank you for the fix and sharing it in detail. Helped me. I do appreciate fix much.

 

So, would a relatively safe alternative be to simply disable IDS for anon and user until there is a patch for latest Ispconfig3 that takes the new hardened fpm security settings into effect? Or do you recommend leaving the IDS alone and applying this fix, and if so, will this fix be "corrected" or taken into account when the Ispconfig3 patch is released with the next ispconfig version?