[#ZBX-24272] Packages install PHP UI into inappropriate location

[ZBX-24272] Packages install PHP UI into inappropriate location Created: 2024 Mar 27 Updated: 2024 Nov 26 Resolved: 2024 Nov 07
Status:	Closed
Project:	ZABBIX BUGS AND ISSUES
Component/s:	Frontend (F), Packages (C)
Affects Version/s:	6.0.29rc1, 6.4.14rc1, 7.0.0beta2
Fix Version/s:	7.0.0rc3, 7.2.0alpha1

Type:

Problem report

Priority:

Trivial

Reporter:

Juris Lambda (Inactive)

Assignee:

Jurijs Klopovskis

Resolution:

Fixed

Votes:

Labels:

None

Remaining Estimate:

Not Specified

Time Spent:

Not Specified

Original Estimate:

Not Specified

Environment:

Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9, Debian 10, Debian 11, Debian 12

Issue Links:

Duplicate

Team:

Team D

Sprint:

S24-W20/21, S24-W22/23

Story Points:

Description

Zabbix ships its PHP web UI application(s) as the zabbix-web and zabbix-frontend-php packages, for RPM and Debian package manager based systems respectively. Both of these packages install the PHP application files under /usr/share/zabbix.

Both Red Hat Enterprise Linux (and derivatives or clones, such as SUSE Linux, Oracle Linux, Rocky Linux, Alma Linux, etc.) and Debian (and derivatives, such as Ubuntu and Raspberry Pi OS) implement the Filesystem Hierarchy Standard. RHEL does not explicitly state the version of the standard it complies with.^[1]^[2]

The standard describes the /usr/share directory as used for all read-only architecture independent data files. This directory should contain files, subsystem specific directories, or application specific directories, with data files used by the respective applications. Commonly, application packages use this directory to store images, static databases, default configurations, and auxiliary source code files that can be sourced by the main application (as an example, shells do this, to provide optional functionality additions).

As systems conforming to FHS are allowed to expect the /usr directory to be read-only, the current web UI application package violates this expectation, as the UI setup wizard writes the configuration file to the conf sub-directory of the application root directory. As a result of this, the current directory choice is incorrect in regards to compliance with FHS.

Additionally, Zabbix provides two packages, zabbix-apache-conf and zabbix-nginx-conf, containing configuration for the Apache and Nginx web servers respectively.

These configurations set the /usr/share/zabbix directory to be served by the web server and describe rules allowing and/or denying requests for files and directories in this tree. Thus, using this directory to store actual static Zabbix related data becomes inappropriate, as access to them, if not covered by rules in these configuration files, depends on the global configuration of the web server, which Zabbix is not in control of. This effectively prevents using the directory for other purposes. An example would be providing the optional database patches, which, due to the current use of the directory, have been split out into a separate /usr/share/zabbix-sql-scripts directory.

The two web servers, Apache and Nginx, default to setting their document root directories to /var/www/html and /usr/share/nginx/html respectively.

In both cases, these directories hold the default, static HTML documents for common requests that are not over-ridden by other rules or do not route to valid virtual hosts and/or documents (such as the default index.html page, 404.html, 50x.html, and related assets).

The suggestion is to move the configuration file into the zabbix system configuration directory, /etc/zabbix, and move the PHP application files to a nested directory, /usr/share/zabbix/cgi-bin or equivalent, to allow the /usr/share/zabbix directory to be used for additional purposes.

This will, however, prevent the setup wizard from writing the configuration file.

if we wish to maintain this behavior, the application files should be moved to a directory known to be writable by the web server process user.

During the installation of Zabbix server, proxy and/or agent packages, the post-install hook creates a dedicated user, and sets its home directory, usually to /var/lib/zabbix, which is always be writable, as the entire /var tree is intended for writable data. This directory does not get created, as in the RPM case, the hook creates a system user, and in the case of Debian, the hook explicitly passes --no-create-home to adduser.

However, as the /var hierarchy in general is intended for variable data (such as mail spools, logs and socket files), this isn't an appropriate location either.

Another option would be to actually create a dedicated user directory under /home, which should be writable, but is optional, according to the FHS, and could still cause problems if not set up correctly, such as not being readable by the user running the web server or FPM processes.

In general, having the UI write its configuration to the file system seems inappropriate, and maybe should be reconsidered.

^[1]: RHEL: https://access.redhat.com/articles/rhel8-abi-compatibility
^[2]: Debian: https://wiki.debian.org/FilesystemHierarchyStandard

Comments

Comment by Michal Kudlacz [ 2024 Mar 28 ]

Summarizing:

Zabbix PHP web UI applications are distributed via zabbix-web and zabbix-frontend-php packages for RPM and Debian systems respectively, installing under /usr/share/zabbix.
FHS expects /usr/share to hold read-only, architecture-independent data, but Zabbix setup violates this by writing to this directory.
zabbix-apache-conf and zabbix-nginx-conf packages configure web servers to serve from /usr/share/zabbix, limiting its use for static data due to potential access control issues.
The Apache and Nginx servers default document roots are /var/www/html and /usr/share/nginx/html, intended for static HTML documents.
Suggestions include moving the configuration file to /etc/zabbix and PHP application files to a subdirectory within /usr/share/zabbix to maintain FHS compliance and enhance directory usage flexibility. This, however, could make the setup wizard's functionality more difficult.

Conclusion: The deployment of Zabbix Front End challenges FHS compliance due to its writing operation in a supposed read-only directory and complicates the efficient use of web server configurations.

Fair point as FHS_3.0 states it nice and clear:

The /usr/share hierarchy is for all read-only architecture independent data files. [30]

This hierarchy is intended to be shareable among all architecture platforms of a given OS; thus, for example, a site with i386, Alpha, and PPC platforms might maintain a single /usr/share directory that is centrally-mounted. Note, however, that /usr/share is generally not intended to be shared by different OSes or by different releases of the same OS.

Any program or package which contains or requires data that doesn't need to be modified should store that data in /usr/share (or /usr/local/share, if installed locally). It is recommended that a subdirectory be used in /usr/share for this purpose. Applications using a single file may use /usr/share/misc.

Game data stored in /usr/share/games must be purely static data. Any modifiable files, such as score files, game play logs, and so forth, should be placed in /var/games.

https://refspecs.linuxfoundation.org/FHS_3.0/fhs/ch04s11.html#ftn.idm236091847456

On the other hand, the FHS provides guidelines for filesystem structure with the aim of standardization and compatibility. However, practical exceptions are sometimes necessary to accommodate specific application requirements or to enhance user experience. If current structure serves its user base effectively, deviating from FHS guidelines in this case could be justified. Current setup, where Zabbix PHP application files reside in /usr/share/zabbix, is a practice that has been in place for years. It offers operational continuity for users and administrators familiar with the existing structure. Changing this could introduce confusion.

Comment by Juris Lambda (Inactive) [ 2024 Mar 28 ]

Hey, mkudlacz.

I disagree with the last portion of your comment, because that room for deviation or exceptions is given to the system engineers who define the system policy (i.e. Red Hat Enterprise Linux and Debian maintainers, in this case), not arbitrary applications (i.e. Zabbix). This would be the case if any of the LSB components, or additional applications from the distribution maintainers, would behave in this manner as part of the base system install, but they do not on any system that advertises LSB or FHS compliance.

I also disagree with the argument along the lines of "well, we've always done it this way", as what it reads as is "we've always done it wrong and will continue doing so". Nor with the assertion that this would "introduce confusion", as this just sounds like we consider users to be inept. Maintaining this behavior, because the "users may get confused", at the expense of those users that want to run standards compliant systems and make full use of them, would be odd to say the least.

The current behavior actually prevents me from running disk-less systems, as due to the configuration file residing where it does, multiple hosts can no longer share a single, read-only /usr mount.

Comment by Michal Kudlacz [ 2024 Mar 28 ]

Hi Juris,

Please don't get me wrong. I fully support your statements and agree that adherence to standards and best practices is crucial for system compatibility and maintenance. My intention in presenting the other perspective was not to dispute this importance but to acknowledge that there are complex factors at play. These factors include the practical implications of changes for existing users and systems.

Confirming and moving to Development.

Comment by Juris Lambda (Inactive) [ 2024 Mar 28 ]

All good, mkudlacz! I didn't mean to come off as contrarian.

I think that we should address this in packages as soon as we feasibly can, and maybe for 7.0 consider getting rid of the wizard writing portion altogether (instead maybe displaying the configuration with instructions on how to install it, and still providing the option of downloading it as a file).

I get that there are a bunch of factors in play here, but correcting wrongs is always a bit painful, and this would be a noticeable change. At the same time, keeping these warts around just out of comfort isn't a great idea either, and I think a major version release is the correct time for that change, as with all other major behavior overhauls.

Comment by Jurijs Klopovskis [ 2024 May 27 ]

Frontend part fixed in pre-7.0.0rc3

Frontend files moved from /usr/share/zabbix to /usr/share/zabbix/ui
Removed symlink to zabbix.conf.php file in /etc/zabbix/web on DEB-based systems. Patching the frontend code to write configuration directly to /etc/zabbix/web/ directory, like it is already done on RPM-based systems.

Comment by Michal Kudlacz [ 2024 May 29 ]

Upgrade from earlier versions results with 403 Forbidden or page not found.

Paths remain unchanged in /etc/nginx/conf.d/zabbix.conf

               root    /usr/share/zabbix;

               fastcgi_param   DOCUMENT_ROOT   /usr/share/zabbix;
               fastcgi_param   SCRIPT_FILENAME /usr/share/zabbix$fastcgi_script_name;
               fastcgi_param   PATH_TRANSLATED /usr/share/zabbix$fastcgi_script_name;

Correcting paths and restarting nginx and php-fpm resolves the issue. I believe the same is applicable for apache / httpd.

Comment by Jurijs Klopovskis [ 2024 May 29 ]

I presume, that the configuration was not overwritten during upgrade, as it should, mkudlacz.
This is standard behavior of package managers to preserve configuration files with user edits.

The user should install the new file, and the reconfigure the necessary settings. Hence we are only doing this change for a major 7.0 release.

The package is in fact correct.

packager@builds:~/pkg/deb$ ar x zabbix-nginx-conf_7.0.0~rc3-1+debian12_all.deb
packager@builds:~/pkg/deb$ tar xvf data.tar.xz
./
./etc/
./etc/zabbix/
./etc/zabbix/nginx.conf
./etc/zabbix/php-fpm.conf
./usr/
./usr/share/
./usr/share/doc/
./usr/share/doc/zabbix-nginx-conf/
./usr/share/doc/zabbix-nginx-conf/changelog.Debian.gz
./usr/share/doc/zabbix-nginx-conf/changelog.gz
./usr/share/doc/zabbix-nginx-conf/copyright
packager@builds:~/pkg/deb$ grep -n /usr/share/zabbix ./etc/zabbix/nginx.conf
5:        root    /usr/share/zabbix/ui;
41:                fastcgi_param   DOCUMENT_ROOT   /usr/share/zabbix/ui;
42:                fastcgi_param   SCRIPT_FILENAME /usr/share/zabbix/ui$fastcgi_script_name;
43:                fastcgi_param   PATH_TRANSLATED /usr/share/zabbix/ui$fastcgi_script_name;

Comment by Jurijs Klopovskis [ 2024 May 30 ]

Tips for upgrading from earlier versions < 7.0

This should only affect nginx users, unless you edited /etc/httpd/conf.d/zabbix.conf file, which is not normally needed.

RedHat and SUSE:

You will get the following message when running dnf update.

  Upgrading        : zabbix-nginx-conf-7.0.0-release1.el8.noarch               4/16
warning: /etc/nginx/conf.d/zabbix.conf created as /etc/nginx/conf.d/zabbix.conf.rpmnew

Backup the /etc/zabbix/nginx.conf file.

cp /etc/zabbix/nginx.conf /etc/zabbix/nginx.conf.bak

Replace the old configuration file with the new one.

cp /etc/nginx/conf.d/zabbix.conf.rpmnew /etc/nginx/conf.d/zabbix.conf

Then edit the file and restore your old configuration.

Debian / Ubuntu / Raspberry Pi OS:

Backup the /etc/zabbix/nginx.conf file.

cp /etc/zabbix/nginx.conf /etc/zabbix/nginx.conf.bak

You will get the following message when running apt upgrade command.

Configuration file '/etc/zabbix/nginx.conf'
 ==> Modified (by you or by a script) since installation.
 ==> Package distributor has shipped an updated version.
   What would you like to do about it ?  Your options are:
    Y or I  : install the package maintainer's version
    N or O  : keep your currently-installed version
      D     : show the differences between the versions
      Z     : start a shell to examine the situation
 The default action is to keep your current version.
*** nginx.conf (Y/I/N/O/D/Z) [default=N] ?

Select the Y or I option to install the updated file. Then edit the /etc/zabbix/nginx.conf to restore whatever configuration you had there.

Comment by Jurijs Klopovskis [ 2024 May 31 ]

After consulting with alexei, we decided to revert the change for 7.0.0 stable release.

Comment by Jurijs Klopovskis [ 2024 Oct 18 ]

Available in 7.2.0alpha1

Comment by Jurijs Klopovskis [ 2024 Nov 04 ]

NOTE: I ended up not removing conf file symlink on debian. So in 7.2 it works the same way as in earlier versions.

Comment by Jurijs Klopovskis [ 2024 Nov 05 ]

Released 7.2.0alpha1-2 packages for all deb systems with a fix for the symlink location 5708624615b

Comment by Martins Valkovskis [ 2024 Nov 05 ]

Updated documentation:

Upgrade notes: 7.2

Generated at Sun Apr 05 05:57:26 EEST 2026 using Jira 10.3.18#10030018-sha1:5642e4ad348b6c2a83ebdba689d04763a2393cab.