Run Nginx and PHP-FPM as user QTMHHTTP without 5250 program using SBMJOB and QSH
Issue #141
closed
Installing and configuring open source PHP and Nginx on the IBMi was pretty straight forward. I am now trying to run the Nginx and PHP process as QTMHHTTP user, and found this was only possible using a 5250 program that uses SBMJOB and QSH.
There is a “user” directive in the nginx.conf, but when the config is tested or run the warning below is output:
[warn] the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /QOpenSys/etc/nginx/nginx.conf:1
I am connected with a SO user that has “ALLOBJ” authority. Is there another authority that would be considered “super-user”?
Some alternatives online suggest to use a “sudo” command, however this is not an available utility currently on the IBMi in PASE.
Below are 2 install scripts that show how Nginx and PHP can be run as another user (QTMHHTTP) by installing a 5250 program and admin menu to submit the QSH command as a user in batch. I would prefer not to have to rely on this method, and would rather administer the Nginx and PHP-FPM using PASE and scripts that I setup. Actually the options below to stop PHP from 5250 program are simply calling a shell script with QSH. Seems counter-intuitive.
https://github.com/jdukleth/ibmi-www-techstack-automation/blob/master/www-install.sh
https://gist.github.com/jordiwes/c0cfd30bd0bdc5c726946ec583d77315
Comments (10)
-
-
reporter
Thanks for the info… I believe there is only 1 profile that administers our IBMi with QSECOFR authority, and it’s not me. I can check and see if that works after they return from vacation in a week. Not sure that is a typical authority though for the support staff that administers daily processes. Hopefully there is an alternative.
Not sure what you mean by swap to any *USRPRF that I have *USE authority to… When I am logged in via SSH to PASE, is there a command you know of to swap to another user? The “su” and “sudo” commands are not currently available on the IBMi.
Appreciate the help!
-
There is no command, but the standard Unix setuid/seteuid APIs will allow you to swap profiles (NGINX does this for you). Just like QSYGETPH, you can swap to any user profile without a password as long as you have *USE authority to the profile object.
-
reporter
Sorry for the long delay… I did verify today that my user profile has *ALL authority to the QTMHHTTP profile object.
I created a bash script that starts Nginx, and configured the setuid user execute permissions for this script, and changed the owner to QTMHHTTP. Unfortunately the service still gets started as myself and does not apply the setuid permissions.
I did some searching and see there are actually restrictions with Unix kernel not allowing setuid with interpreted executable files. One article is below:
https://unix.stackexchange.com/questions/364/allow-setuid-on-shell-scripts
Does this need to be contained in another wrapper to execute the setuid?
Thanks again for your help.
-
Yeah, it’s likely that the setuid bit would not work on a shell script. You could get around that by using the
systemcommand to callSBMJOBinstead. Alternatively, I wrote a sample tool to integrate with STRTCPSVR/ENDTCPSVR: https://github.com/OSSILE/OSSILE/tree/master/main/c_generic_server. We’ve got an NGINX-specific one as well that we could push up if you’re interested. -
reporter
The suggestion for using the
systemcommand in a shell script, which callsSBMJOBandQSH, seems like the best/simplest option. It keeps the administration in PASE, instead of requiring a 5250 session. Thanks.I did confirm as well my user profile is part of a QSECOFR group, one of many users part of this group, but it is not UID 0. The
userdirective in the nginx.conf seems like the preferred solution, but I still have not confirmed with the user QSECOFR UID 0 that this works yet. Hopefully will be able to test this soon.Alternatively the
sudoutility would be a familiar option for Unix/Linux users, but is not currently available on the IBMi. I suppose I can submit an RFE to request this utility. -
reporter
Our IBMi will be hosting several sites, and from what I have learned about PHP-FPM it is possible to create separate pools for each domain/site, to be run as separate users. Each pool .conf file is located under “/QOpenSys/etc/php/php-fpm.d/*.conf”. I have configured the
userdirective in these php-fpm .conf files to use a different user profile, with thelisten.ownerdirective to be set for the Nginx user (QTMHHTTP).This could be a separate issue, but I am not able to get the PHP-FPM pools running as the user defined in each pool, with the
userdirective. Echoing out from PHP, listing the processes in PASE, and even WRKACTJOB SBS(*ALL) JOB(QP0ZSPWP), all show the process user that PHP-FPM is running as will be the same user that starts PHP-FPM.Is this a potential bug/issue with PHP-FPM? We would like separate users to be running PHP-FPM pools for each domain/site.
-
Just to follow up, we did release an update to NGINX which does not require the user starting NGINX to be QSECOFR to use the user directive. We still do require
*ALLOBJauthority, however due to limitations in the qsysetuid API and rewriting the code to use QSYGETPH was going to be too complicated at the moment.
I’m not sure about the FPM issue, but it’s possible that it is not working correctly due to the same limitation I mentioned previously (since QTMHHTTP does not have *ALLOBJ).
-
Chris, you can also check out https://github.com/ThePrez/ServiceCommander-IBMi which might help. If you want to run as another user without requiring
*ALLOBJ, it can be pretty easy to set up by addingsbmjob_opts: "USER(OTHERUSR)"in the YAML configuration (really this is just doing a SBMJOB under the covers, so you could just start the nginx process via SMBJOB yourself also). -
- changed status to closed
This issue tracker is no longer in use. if this is still an issue for you, please open a new issue at https://github.com/IBM/ibmi-oss-issues
- Log in to comment
From what I recall, nginx assumes only UID 0 (ie. root) can swap profiles on other systems but I believe we’ve patched it to allow any user to run the command - this would allow you to swap to any *USRPRF which you have *USE authority to. It’s possible that an nginx upgrade has added more checks which we nee to patch. You could also try starting it as QSECOFR, which has UID 0 and should satisfy all the checks.