nginx php fastcgi unable to write , permission denied even using his own permission

5
votes

Hi' i have permission denied when using write to text function like file_put_contents. i'm using nginx inside centos 6 environment, i use php-fcgi

the problem ONLY solved by set the dir permission to 777, but i dont want that solution.

here's the php code

<?php
    error_reporting(E_ALL);
    header("content-type:text/plain");
    if(isset($_GET['akarapaci'])) {phpinfo();}
    echo getcwd();
    echo "\nscript owner : ".get_current_user()."\n";
    echo "\nscript getmyuid : ".getmyuid()."\n";
    echo "\nscript getmygid : ".getmygid()."\n";

    file_put_contents(dirname(__FILE__)."/X","1");
?>

here's the result :

/var/www/html
script owner : nginx

script getmyuid : 496

script getmygid : 493

the code is just simple write to file /var/www/html/X (the file not created yet), and have error like this

2012/10/27 19:51:59 [error] 1010#0: *32 FastCGI sent in stderr: "PHP Warning:  file_put_contents(/var/www/html/X): failed to open stream: Permission denied in /var/www/html/info.php on line 10" while reading response header from upstream, client: 111.94.49.72, server: vprzl.com, request: "GET /info.php HTTP/1.1", upstream: "fastcgi://127.0.0.1:9000", host: "vprzl.com"

and here's the list of dir inside /var/www/

total 40
drwxr-xr-x 2 root  root   4096 Oct 27 08:44 backup
drwxr-xr-x 2 root  root   4096 Feb 14  2012 cgi-bin
drwxrwxrwx 3 root  root  12288 Oct 27 08:47 devel
drwxr-xr-x 3 root  root   4096 Oct 20 04:48 error
drwxrwxr-x 2 nginx nginx  4096 Oct 27 19:24 html
drwxr-xr-x 3 root  root   4096 Oct 17 18:19 icons
drwxr-xr-x 5 root  root   4096 Oct 27 16:57 images
drwxr-xr-x 2 root  root   4096 Oct 26 14:28 secret

and here's my nginx.conf 

user  nginx;
worker_processes  1;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout  65;

    #gzip  on;


    server {
      listen          80;
      server_name     vprzl.com www.vprzl.com;
      index           index.html;
      root            /var/www/html/;

      location / { 
          # Rewrite rules and other criterias can go here
          # Remember to avoid using if() where possible (http://wiki.nginx.org/IfIsEvil)
          index  index.html index.htm;
      }

      location ~ \.php$ {
          include fastcgi_params;
          fastcgi_pass 127.0.0.1:9000;
          fastcgi_index index.php;
          fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
      }
    }

    server {
      listen          80;
      server_name     images.vprzl.com;
      index           index.html;
      root            /var/www/images/;

      location / { 
          # Rewrite rules and other criterias can go here
          # Remember to avoid using if() where possible (http://wiki.nginx.org/IfIsEvil)
          index  index.html index.htm;
      }
    }

    server {
      listen          80;
      server_name     secret.vprzl.com;
      index           index.html;
      root            /var/www/secret/;

      location / { 
          index  index.html index.htm;
      }
    }
}
4
phpnginxcentosfastcgicentos6
Under which user does the fastcgi deamon run and under which user does the PHP script run? You normally do not need global "rwx" when you know which specific user needs to have write access.hakre
What is the output of ps aux | grep nginx?Brendan
this is the result ps aux | grep nginx root 1009 0.0 0.1 44624 1176 ? Ss Oct27 0:00 nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf nginx 1010 0.0 0.2 45048 2140 ? S Oct27 0:00 nginx: worker process root 3588 0.0 0.0 103228 848 pts/0 S+ 02:09 0:00 grep nginxShin Dapaty

4 Answers

5
votes

found the culprit! (of my own answer) i just have to change a line in the file /etc/init.d/php-fcgi

from 

PHPUSER=php

to

PHPUSER=nginx

and then restart

2
votes

(i) if you have set user:group to nginx and the permissions are 0755 then you are ok (ii) if you still have permission denied, then check selinux. i.e

$sudo setenforce 0

(iii) With selinux disabled, check if you are now able to write.

0
votes

PLease do not disable you SELinux. here are the steps you need to take carefully to overcome this problem: first of all selinux is the central security of your system. and it handles all read and write to files.

1) all folder in /var/www must have permission 755.

you can do this by : find "folder" -type d -exec chmod 755 {} \;

2) all files must have permission 644 :

find "folder" -type f -exec chmod 644 {} \;

3) the specific folder you need to write or create file must have 0777 permission.

chmod 0777 "folder"

4) then tell SELinux to allow write in that specific dir or for a specific file:

chcon -t httpd_sys_rw_content_t test.txt

Neither set all your folders permission to 777 not disable your Selinux.

0
votes

You must grant access your web folder to nginx:nginx (chown nginx:nginx) or whatever user who you started nginx service. Then restart the services web. More info enter link description here Greetings