[Bug 259089] www/glpi: Fatal error: Uncaught UnexpectedValueException: Permission denied

From: <bugzilla-noreply_at_freebsd.org>
Date: Tue, 12 Oct 2021 06:40:57 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=259089

            Bug ID: 259089
           Summary: www/glpi: Fatal error: Uncaught
                    UnexpectedValueException: Permission denied
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Many People
          Priority: ---
         Component: Individual Port(s)
          Assignee: ports-bugs@FreeBSD.org
          Reporter: ohartmann@walstatt.org
                CC: mathias@monnerville.com
             Flags: maintainer-feedback?(mathias@monnerville.com)
                CC: mathias@monnerville.com

Running www/glpi atop a recent www/apache24 on FreeBSD 13.0-RELENG with the
GLPI own cron job results since the last update of www/glpi in a general
malfunction of the GLPI service: users are presented with a blank screen as
long as the underlying PHP is in configuration mode "production", where errors
are not exposed.

Switching to the development configuration were the php errors are exposed to
the client, one will face a trivial error:

[...]
Fatal error: Uncaught UnexpectedValueException: The stream or file
"/usr/local/www/glpi/files/_log/php-errors.log" could not be opened in append
mode: failed to open stream: Permission denied

For security reasons the content of the folder /usr/local/www/glpi/files/_log
is not completely accessible by user/group www/www. There are some error log
files important to GLPI which have initially access rights www:www, one of them
is php-errors.log along with cron.log and others.

Resetting ACL of php-errors.log to www:www mitigates the problem but is
considered a security risk.

But the ACL is changed by the periodically running glpi cron job back to
root:www:

-rw-r--r--  1 root  www   663168 Oct 12 08:24 php-errors.log

And this causes the general malfunction of GLPI.

changing the ACL manually back to www:www with the result of a working GLPI is
periodically overwritten by the GLPI's cron back to root:www as shown above.

-- 
You are receiving this mail because:
You are the assignee for the bug.