nginx and php-fpm socket owner

23
votes

After an update of my system I ran into a bad gateway error of my PHP apps running on Nginx.

1 connect() to unix:/var/run/php-fcgi-vhostname-php-fcgi-0.sock failed (13: Permission denied) while connecting to upstream, client: xx.xxx.xx.xx, server: localhost, request: "GET / HTTP/1.1", upstream: "fastcgi://unix:/var/run/php-fcgi-vhostname-php-fcgi-0.sock:", host: "xx.xx.xx.xx"

The problem is caused by bad permissions of the php-fpm sockets used, in fact I see /var/run/php-fcgi.sock owned by root:root but nginx and php-fpm use as user www-data.

I've already edited the php-fpm config at /etc/php-fpm.d/www.conf with:

listen.owner = www-data
listen.group = www-data
listen.mode = 0660

but it doesn't solve the problem and when i restart nginx and php-fpm the sockets are created with root:root as user/group.

The only way I've found to fix it is to change the owner of the sockets to www-data:www-data manually. But this is not a real solution because everytime I restart my services I've to apply it again.

How can I fix this problem? I'm on CentOS 6.5

Edit:

I use Ajenti-V to configure my vhosts and my PHP-FPM. It creates a new socket for each website/vhost, and them are set in /etc/php-fpm.conf

They have this structure:

[vhostname-php-fcgi-0]
user = www-data
group = www-data

listen = /var/run/php-fcgi-vhostname-php-fcgi-0.sock

pm = dynamic
pm.max_children = 5
pm.start_servers = 1
pm.min_spare_servers = 1
pm.max_spare_servers = 5

If I add to each entry these strings:

listen.owner = www-data
listen.group = www-data
listen.mode = 0666

Everything works correctly.

So looks like the www.conf is not included (maybe?). This is my php-fpm.conf:

[global]
pid = /var/run/php-fpm/php-fpm.pid
error_log = /var/log/php5-fpm.log


[global-pool]
user = www-data
group = www-data
listen = /var/run/php-fcgi.sock

pm = dynamic
pm.start_servers = 1
pm.max_children = 5
pm.min_spare_servers = 1
pm.max_spare_servers = 5


[vhostname-php-fcgi-0]
user = www-data
group = www-data

listen = /var/run/php-fcgi-vhostname-php-fcgi-0.sock

pm = dynamic
pm.max_children = 5
pm.start_servers = 1
pm.min_spare_servers = 1
pm.max_spare_servers = 5
7
phpnginxcentos
I've withdrawn my answer as it was incorrect. In my case 0666 was the solution because of different groups in nginx and php-fpm. But also I checked my installation (CentOS 6.5 as well) and I don't see this problem... PHP 5.4.28 (cli) (built: May 2 2014 19:09:57)Denis V
I've just updated my php version and the same - no such an issue. PHP 5.4.29 (cli) (built: Jun 5 2014 16:07:48). The last thing that I can imagine is that www.conf is for some reason not used in your case.Denis V
yes I think it ignores these settings... but I've not idea about how to fix it.Fez Vrasta
Hmm, try using pool setting. Nginx Bad Gateway means its can't find php or php-fpm is busy. Please provide error log on NGINX.Kavin
I've added the error log, btw it's just what I've already explained...Fez Vrasta

7 Answers

33
votes

Config files FPM will read

/etc/php-fpm.conf is the config file FPM will read (on CentOS). If you want FPM to read other config files as well, you need to tell it that.

You can do this by placing the line include=/etc/php-fpm.d/*.conf at the bottom of /etc/php-fpm.conf. It will then read everything in the directory /etc/php-fpm.d (that ends with .conf).

Then place the global directives and the include line in /etc/php-fpm.conf. This could look something like this:

[global]

pid = /var/run/php-fpm/php-fpm.pid
error_log = /var/log/php5-fpm.log

include=/etc/php-fpm.d/*.conf

And have a separate file in /etc/php-fpm.d for each pool.

Example /etc/php-fpm.d/global.conf:

[global-pool]

user = www-data
group = www-data

listen = /var/run/php-fcgi.sock

listen.owner = www-data
listen.group = www-data
listen.mode = 0660

pm = dynamic
pm.start_servers = 1
pm.max_children = 5
pm.min_spare_servers = 1
pm.max_spare_servers = 5

Example /etc/php-fpm.d/vhostname-0.conf:

[vhostname-php-fcgi-0]

user = www-data
group = www-data

listen = /var/run/php-fcgi-vhostname-php-fcgi-0.sock

listen.owner = www-data
listen.group = www-data
listen.mode = 0660

pm = dynamic
pm.max_children = 5
pm.start_servers = 1
pm.min_spare_servers = 1
pm.max_spare_servers = 5

Directives to pay attention to

  • Every pool should use a different socket. If you have multiple pools using the same socket you'll get issues.

  • The directives user and group control the user/group which the FPM process for that pool will run as. These do not specify the user/group of the socket.

  • The directives listen.owner and listen.group control the user/group the socket uses for that pool.

  • The pool directives (like listen.*) will only work for pools. So you can't use them in the global section, you have to specify them for each pool.

Socket permissions

The permissions 0660 are perfectly fine when listen.owner and listen.group are the same as the webserver. You could even use 0600, but one might argue that any user that can operate under the same group as the webserver can also use the socket, so I would use 0660.

7
votes

Just adding here that the listen.acl_users directive should be commented, otherwise, it will override the listen.owner and listen.group values:

; Set permissions for unix socket, if one is used. In Linux, read/write
; permissions must be set in order to allow connections from a web server.
; Default Values: user and group are set as the running user
;                 mode is set to 0660
listen.owner = www-data
listen.group = www-data
listen.mode = 0660

; When POSIX Access Control Lists are supported you can set them using
; these options, value is a comma separated list of user/group names.
; When set, listen.owner and listen.group are ignored
;listen.acl_users = apache,nginx
6
votes

NGINX runs as user nginx and php5-fpm as user www-data. Just add nginx to group www-data and the problem is solved, and nginx can access /var/run/php5-fpm.sock. Works great with Ubuntu 14.04, nginx 1.7.10, PHP 5.5.9-1ubuntu4.6 (fpm-fcgi):

$ sudo usermod -aG www-data nginx
1
votes

everybody! That's my issue too. I just changed my fpm user to vagrant, restart my pools and ... it's done! Here comes my conf:

user = vagrant
group = nginx

listen.owner = vagrant
listen.group = nginx
listen.mode = 0660

Hope it can help someone.

1
votes

On my installation, Centos 7.5, Apache with php 7.1 and php 5.6 I had the same problem where I had to manually fix the permissions on the php56-php.fpm.sock (owned by root) after every reboot.

My config for php56 was here and may be different on your install: /opt/remi/php56/root/etc/php-fpm.d/www.conf

I changed this commented section in the file:

listen.owner = nginx
listen.group = nginx
listen.mode = 0666

Now after restart everything is fine with correct permissions on the socket file. Not sure about the listen.mode. I think 0660 also works.

0
votes

Hello every one and thanks for help, in my case with Ubuntu server 14.04 nginx and php5-fpm the problem with php-fpm socket owner by root solved by editing the file /etc/php5/fpm/pool.d/www.conf Uncomment the lines:

listen.owner = www-data
listen.group = www-data
listen.mode = 0660

From a clear installation nginx owner and group is www-data. I think that the best practice is to look /etc/nginx/nginx.conf and verify that in first line is:

user www-data;

And use the default user, Chears !

0
votes

Just do it anything else

My Config Vagrant / Ubuntu 16 / Nginx 1.13 / PHP-FPM 7.1

sudo vi /etc/nginx/nginx.conf

Change first line user nginx => user www-data

service nginx restart