nginx and php-fpm socket owner

2019-03-09 12:50发布

问题:

After an update of my system I ran into a bad gateway error of my PHP apps running on Nginx.

1 connect() to unix:/var/run/php-fcgi-vhostname-php-fcgi-0.sock failed (13: Permission denied) while connecting to upstream, client: xx.xxx.xx.xx, server: localhost, request: "GET / HTTP/1.1", upstream: "fastcgi://unix:/var/run/php-fcgi-vhostname-php-fcgi-0.sock:", host: "xx.xx.xx.xx"

The problem is caused by bad permissions of the php-fpm sockets used, in fact I see /var/run/php-fcgi.sock owned by root:root but nginx and php-fpm use as user www-data.

I've already edited the php-fpm config at /etc/php-fpm.d/www.conf with:

listen.owner = www-data
listen.group = www-data
listen.mode = 0660

but it doesn't solve the problem and when i restart nginx and php-fpm the sockets are created with root:root as user/group.

The only way I've found to fix it is to change the owner of the sockets to www-data:www-data manually. But this is not a real solution because everytime I restart my services I've to apply it again.

How can I fix this problem? I'm on CentOS 6.5

Edit:

I use Ajenti-V to configure my vhosts and my PHP-FPM. It creates a new socket for each website/vhost, and them are set in /etc/php-fpm.conf

They have this structure:

[vhostname-php-fcgi-0]
user = www-data
group = www-data

listen = /var/run/php-fcgi-vhostname-php-fcgi-0.sock

pm = dynamic
pm.max_children = 5
pm.start_servers = 1
pm.min_spare_servers = 1
pm.max_spare_servers = 5

If I add to each entry these strings:

listen.owner = www-data
listen.group = www-data
listen.mode = 0666

Everything works correctly.

So looks like the www.conf is not included (maybe?). This is my php-fpm.conf:

[global]
pid = /var/run/php-fpm/php-fpm.pid
error_log = /var/log/php5-fpm.log


[global-pool]
user = www-data
group = www-data
listen = /var/run/php-fcgi.sock

pm = dynamic
pm.start_servers = 1
pm.max_children = 5
pm.min_spare_servers = 1
pm.max_spare_servers = 5


[vhostname-php-fcgi-0]
user = www-data
group = www-data

listen = /var/run/php-fcgi-vhostname-php-fcgi-0.sock

pm = dynamic
pm.max_children = 5
pm.start_servers = 1
pm.min_spare_servers = 1
pm.max_spare_servers = 5

回答1:

Config files FPM will read

/etc/php-fpm.conf is the config file FPM will read (on CentOS). If you want FPM to read other config files as well, you need to tell it that.

You can do this by placing the line include=/etc/php-fpm.d/*.conf at the bottom of /etc/php-fpm.conf. It will then read everything in the directory /etc/php-fpm.d (that ends with .conf).

Then place the global directives and the include line in /etc/php-fpm.conf. This could look something like this:

[global]

pid = /var/run/php-fpm/php-fpm.pid
error_log = /var/log/php5-fpm.log

include=/etc/php-fpm.d/*.conf

And have a separate file in /etc/php-fpm.d for each pool.

Example /etc/php-fpm.d/global.conf:

[global-pool]

user = www-data
group = www-data

listen = /var/run/php-fcgi.sock

listen.owner = www-data
listen.group = www-data
listen.mode = 0660

pm = dynamic
pm.start_servers = 1
pm.max_children = 5
pm.min_spare_servers = 1
pm.max_spare_servers = 5

Example /etc/php-fpm.d/vhostname-0.conf:

[vhostname-php-fcgi-0]

user = www-data
group = www-data

listen = /var/run/php-fcgi-vhostname-php-fcgi-0.sock

listen.owner = www-data
listen.group = www-data
listen.mode = 0660

pm = dynamic
pm.max_children = 5
pm.start_servers = 1
pm.min_spare_servers = 1
pm.max_spare_servers = 5

Directives to pay attention to

  • Every pool should use a different socket. If you have multiple pools using the same socket you'll get issues.

  • The directives user and group control the user/group which the FPM process for that pool will run as. These do not specify the user/group of the socket.

  • The directives listen.owner and listen.group control the user/group the socket uses for that pool.

  • The pool directives (like listen.*) will only work for pools. So you can't use them in the global section, you have to specify them for each pool.

Socket permissions

The permissions 0660 are perfectly fine when listen.owner and listen.group are the same as the webserver. You could even use 0600, but one might argue that any user that can operate under the same group as the webserver can also use the socket, so I would use 0660.



回答2:

NGINX runs as user nginx and php5-fpm as user www-data. Just add nginx to group www-data and the problem is solved, and nginx can access /var/run/php5-fpm.sock. Works great with Ubuntu 14.04, nginx 1.7.10, PHP 5.5.9-1ubuntu4.6 (fpm-fcgi):

$ sudo usermod -aG www-data nginx


回答3:

everybody! That's my issue too. I just changed my fpm user to vagrant, restart my pools and ... it's done! Here comes my conf:

user = vagrant
group = nginx

listen.owner = vagrant
listen.group = nginx
listen.mode = 0660

Hope it can help someone.



回答4:

Hello every one and thanks for help, in my case with Ubuntu server 14.04 nginx and php5-fpm the problem with php-fpm socket owner by root solved by editing the file /etc/php5/fpm/pool.d/www.conf Uncomment the lines:

listen.owner = www-data
listen.group = www-data
listen.mode = 0660

From a clear installation nginx owner and group is www-data. I think that the best practice is to look /etc/nginx/nginx.conf and verify that in first line is:

user www-data;

And use the default user, Chears !



回答5:

Just do it anything else

My Config Vagrant / Ubuntu 16 / Nginx 1.13 / PHP-FPM 7.1

sudo vi /etc/nginx/nginx.conf

Change first line user nginx => user www-data

service nginx restart


回答6:

On my installation, Centos 7.5, Apache with php 7.1 and php 5.6 I had the same problem where I had to manually fix the permissions on the php56-php.fpm.sock (owned by root) after every reboot.

My config for php56 was here and may be different on your install: /opt/remi/php56/root/etc/php-fpm.d/www.conf

I changed this commented section in the file:

listen.owner = nginx
listen.group = nginx
listen.mode = 0666

Now after restart everything is fine with correct permissions on the socket file. Not sure about the listen.mode. I think 0660 also works.



标签: php nginx centos