Issues due converted php-fpm systemd service to use advanced security hardening

Discussion in 'General' started by Uwe Reiher, May 21, 2026 at 10:49 AM.

  1. Uwe Reiher

    Uwe Reiher New Member

    With the last updates for PHP the maintainer Ondřej Surý has rolled out strict hardening for PHP-FPM-Instances:
    Code:
    php8.x (8.x.x-x+ubuntuX.X.X+deb.sury.org+1) unstable; urgency=medium

  * Converted php-fpm systemd service to use advanced security hardening.
  * Enable systemd hardening features by default for FPM instances:
    - ProtectSystem=strict
    - ProtectHome=yes
    - PrivateTmp=yes
    - ProtectControlGroups=yes
    - ProtectKernelModules=yes
    - ProtectKernelTunables=yes
    - ReadWritePaths=
  * NOTE: This restricts PHP-FPM from writing to arbitrary directories
    outside of standard web paths (like /var/www). If your application
    requires writing to custom paths (e.g., /usr/share/... or custom mount
    points), you MUST use systemd overrides to grant ReadWritePaths.
    To resolve issues with ISPConfig, you can use the following workaround (for standard PHP 8.2 under Debian 12):
    Code:
    sudo systemctl edit php8.2-fpm
    Insert the following lines:
    Code:
    [Service]
ReadWritePaths=/usr/local/ispconfig/interface/temp
    Reload the configuration:
    Code:
    sudo systemctl daemon-reload
sudo systemctl restart php8.2-fpm
     
    Uwe Reiher, May 21, 2026 at 10:49 AM
    #1
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Please see here for the original thread:

    https://forum.howtoforge.com/thread...ids-temp-folder-becomes-read-only-syst.95140/

    Using an override file, as shown in the other thread, is a better option in my opinion, and that's the approach ISPConfig is using as well. The name of the override file we use is ispconfig.conf. The issue has also been fixed in ISPConfig aut-installer a few days ago and also in ISPConfig 3.2 release branch, scheduled for the next update.
     
    till, May 21, 2026 at 11:11 AM
    #2

Share This Page