Issues due converted php-fpm systemd service to use advanced security hardening

With the last updates for PHP the maintainer Ondřej Surý has rolled out strict hardening for PHP-FPM-Instances:

Code:

php8.x (8.x.x-x+ubuntuX.X.X+deb.sury.org+1) unstable; urgency=medium

  * Converted php-fpm systemd service to use advanced security hardening.
  * Enable systemd hardening features by default for FPM instances:
    - ProtectSystem=strict
    - ProtectHome=yes
    - PrivateTmp=yes
    - ProtectControlGroups=yes
    - ProtectKernelModules=yes
    - ProtectKernelTunables=yes
    - ReadWritePaths=
  * NOTE: This restricts PHP-FPM from writing to arbitrary directories
    outside of standard web paths (like /var/www). If your application
    requires writing to custom paths (e.g., /usr/share/... or custom mount
    points), you MUST use systemd overrides to grant ReadWritePaths.

To resolve issues with ISPConfig, you can use the following workaround (for standard PHP 8.2 under Debian 12):

Code:

sudo systemctl edit php8.2-fpm

Insert the following lines:

Code:

[Service]
ReadWritePaths=/usr/local/ispconfig/interface/temp

Reload the configuration:

Code:

sudo systemctl daemon-reload
sudo systemctl restart php8.2-fpm