Nginx + PHP-FPM: Permissions on UNIX socket

Hello,

After an update of my PHP package, now that I am using the new
configuration files, I am setting up my new PHP-FPM UNIX socket.

My UNIX socket is:

  • Placed in /var/run/php-fpm.sock
  • Owner & group: ‘www-data’
  • Filemode: 0660
    After restarting PHP-FPM, the new socket has the correct attributes.

My Nginx configuration spawns workers with the ‘nginx’ user, which
belongs
to the ‘www-data’ group (just checked through the ‘groups’ command).

However, Nginx can’t connect to the PHP socket, it seems to encounter
some
permissions problems: ‘*1 connect() to unix:/var/run/php-fpm.sock failed
(13: Permission denied) while connecting to upstream’

WHat am I doing wrong? Do I need something in particular in my Nginx
configuration?

B. R.

2012/5/8 B.R. [email protected]:

My Nginx configuration spawns workers with the ‘nginx’ user, which belongs
to the ‘www-data’ group (just checked through the ‘groups’ command).

However, Nginx can’t connect to the PHP socket, it seems to encounter some
permissions problems: ‘*1 connect() to unix:/var/run/php-fpm.sock failed
(13: Permission denied) while connecting to upstream’

WHat am I doing wrong? Do I need something in particular in my Nginx
configuration?

Although everything seems correct, let’s double-check this. What’s the
output of following commands?

(stop, then start php-fpm)

date +%Y-%m-%d\ %H:%M:%S

ls -ald /var /var/run /var/run/php-fpm.sock

getfacl /var/run/php-fpm.sock

groups nginx

groups www-data

ps aux | grep -F -e php -e nginx

I bet it’s just a small detail you’ve missed.


Mark

Hi Mark,

Since I don’t have ACL installed, here is the output of all others
commands:

$ sudo service php5-fpm restart
Restarting PHP5 FastCGI Process Manager: php5-fpm.

$ date +%Y-%m-%d\ %H:%M:%S
2012-05-09 19:39:30

$ ls -ald /var /var/run /var/run/php-fpm.sock
drwxr-xr-x 16 root root 4096 21 nov. 17:10 /var
drwxr-xr-x 7 root root 4096 9 mai 19:39 /var/run
srw-rw---- 1 www-data www-data 0 9 mai 19:39
/var/run/php-fpm.sock

$ groups nginx
nginx : www-data debian-transmission

$ groups www-data
www-data : www-data

$ ps aux | grep -F -e php -e nginx
root 19448 0.0 0.0 30400 1164 ? Ss May08 0:00 nginx:
master process /usr/sbin/nginx -c /etc/nginx/nginx.conf
nginx 19449 0.0 0.0 30808 2104 ? S May08 0:00 nginx:
worker process
root 30316 0.0 0.1 108440 4252 ? Ss 19:39 0:00
php-fpm:
master process (/etc/php5/fpm/php-fpm.conf)
www-data 30317 0.0 0.0 108440 3788 ? S 19:39 0:00
php-fpm:
pool www
www-data 30318 0.0 0.0 108440 3788 ? S 19:39 0:00
php-fpm:
pool www
(me) 30330 0.0 0.0 9616 832 pts/0 S+ 19:39 0:00 grep -F
-e
php -e nginx

I still don’t get the problem…

B. R.

Well,

Following the advice of a friend, I made the Nginx user owner of the
socket.
Guess what: it works!

I restricted the chmod to 0600 to be sure the group was involved.

Now here is some questions:
Why can’t we use the group right on the socket?
Why is it the owner user who only has an impact on the effectiveness of
the
rights?

The group is useless here… I am a little lost following that logic.

B. R.

Hi,

I still don’t get it…
I even tried to put the UNIX socket file inside a directory whose owner
group was the ‘www-data’ one… Still ‘Permission denied’ in the Nginx
log
files!

I reverted temporarily to the old way to bind Nginx with PHP-FPM, using
the
standard TCP listening and restricting it to the local interface through
my
firewall.

If someone had an idea on this, I would be glad if he contributed!

B. R.

-------- Original-Nachricht --------

Datum: Thu, 10 May 2012 18:31:47 -0400
Von: “B.R.” [email protected]
An: [email protected]
Betreff: Re: Nginx + PHP-FPM: Permissions on UNIX socket

Hi all again,

As my nginx package (gathered from the Debian Sqeeze repository @Nginx)
specified, the maintainer should be “Sergey B.” [email protected].
However, I got a mailer daemon saying the user doesn’t exist…

How can I submit a bug to the Debian Squeeze Nginx package maintainer?

Maybe by using this URL → Debian bug tracking system

Guess what: it works!
B. R.
log

master process /usr/sbin/nginx -c /etc/nginx/nginx.conf
-F

wrote:


Empfehlen Sie GMX DSL Ihren Freunden und Bekannten und wir
belohnen Sie mit bis zu 50,- Euro! https://freundschaftswerbung.gmx.de

Hi all again,

As my nginx package (gathered from the Debian Sqeeze repository @Nginx)
specified, the maintainer should be “Sergey B.” [email protected].
However, I got a mailer daemon saying the user doesn’t exist…

How can I submit a bug to the Debian Squeeze Nginx package maintainer?

B. R.

I am using the package up-to-date provided by Nginx in their repository
for
Debian, not directly the one included in any Debian official
repositories.

There → nginx: download

B. R.

-------- Original-Nachricht --------

Datum: Thu, 10 May 2012 21:14:18 -0400
Von: “B.R.” [email protected]
An: [email protected]
Betreff: Re: Nginx + PHP-FPM: Permissions on UNIX socket

I am using the package up-to-date provided by Nginx in their repository
for
Debian, not directly the one included in any Debian official repositories.

There → nginx: download

Okay. Then maybe here → http://trac.nginx.org/nginx/report

An: [email protected]
How can I submit a bug to the Debian Squeeze Nginx package maintainer?

Well,
of
wrote:

Restarting PHP5 FastCGI Process Manager: php5-fpm.
/var/run/php-fpm.sock
nginx:
(me) 30330 0.0 0.0 9616 832 pts/0 S+ 19:39 0:00
On Wed, May 9, 2012 at 1:32 PM, W-Mark K.

nginx mailing list
[email protected]
nginx Info Page


NEU: FreePhone 3-fach-Flat mit kostenlosem Smartphone!
Jetzt informieren: All-Net-Flat > Günstige Handyflat mit 5G- oder LTE-Speed | 1&1

On 11.05.2012, at 2:31, B.R. wrote:

Hi all again,

As my nginx package (gathered from the Debian Sqeeze repository @Nginx)
specified, the maintainer should be “Sergey B.” [email protected].
However, I got a mailer daemon saying the user doesn’t exist…

Address exists actually, but you sent mail to @nginx.org, not to com.

How can I submit a bug to the Debian Squeeze Nginx package maintainer?

It is not a bug, check documentation: Core functionality
If you want to start nginx with www-data group credentials add
“user nginx www-data;”
to config file.

On 11.05.2012, at 8:30, Sergey B. wrote:

How can I submit a bug to the Debian Squeeze Nginx package maintainer?

It is not a bug, check documentation: Core functionality
If you want to start nginx with www-data group credentials add
“user nginx www-data;”
to config file.

BTW you also could add www-data as supplementary group to nginx user.
It will works too

OK, thanks Sergey!
That seemed to be a gross bug, I am glad to know that’s only my mistake.
:o)

What do you mean by ‘add www-data as supplementary group to nginx user’?
At the moment, nginx has www-data as its primary group.

  • Can it work if I don’t specify any group in the Nginx config file
    (default group seems to be nobody, not any nginx user groups)?
  • Or should I always specify a group in the configuration, even if the
    nginx user already belongs to it?

B. R.

Did you specify the www-data group in the ‘user’ configuration entry of
Nginx?
If you did so then this is why. It is what you shall do at the present
time
to allow group privileges to the worker processes.

I only specified the user ‘nginx’ and not any group, since I thought the
groups which nginx belongs to would could automatically be used for
access
privileges.
Maxim added a comment on the ticket and flagged it as a potential
enhancement, look at his comment: #165 (Nginx worker processes don't seem to have the right group permissions) – nginx

I guess I understand that if I don’t specify any group in the
configuation
file, then ‘nobody’ is used.
But Sergey confused me a littler about his ‘supplementary group’ piece
of
advice which I didn’t get.

B. R.

On Fri, May 11, 2012 at 11:25 PM, B.R. [email protected] wrote:

I don’t set anything, actually :confused: (and I usually use same group name
as username which probably explains why I never encountered this)

Yeah I was wrong, the doc says that if u only set the user and not the
group, then the group used has the same name than the user:
http://wiki.nginx.org/CoreModule#user
You are in the particular case so you didn’t see anything ;o)

That would be probably better with the enhancement, since Nginx will
effectively check which group is really the primary one of the user…

B. R.

On 11.05.2012, at 20:08, B.R. wrote:

OK, thanks Sergey!
That seemed to be a gross bug, I am glad to know that’s only my mistake. :o)

What do you mean by ‘add www-data as supplementary group to nginx user’?
At the moment, nginx has www-data as its primary group.

usermod -G www-data -a nginx
User can be a member of several (up to 64k on modern linux)
supplementary groups.

On Fri, May 11, 2012 at 11:08 PM, B.R. [email protected] wrote:


It’s weird, I certainly have no problem with such setup.

$ ls -l .php.sock-*
srw-rw---- 1 bacchanallia www-data 0 May 9 12:27
.php.sock-bacchanallia=
srw-rw---- 1 edho www-data 0 May 9 12:27 .php.sock-edho=
srw-rw---- 1 genshiken www-data 0 May 9 12:27 .php.sock-genshiken=
$ id www-data
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ id edho
uid=1000(edho) gid=1000(edho)
groups=1000(edho),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev)
$ ps axuw|grep nginx
root 32448 0.0 0.0 65424 640 ? Ss Apr30 0:00
nginx: master process /usr/sbin/nginx
www-data 32449 0.0 0.3 65828 3348 ? S Apr30 0:59
nginx: worker process
www-data 32450 0.0 0.4 65572 4768 ? S Apr30 0:57
nginx: worker process
www-data 32451 0.0 0.5 66320 5844 ? S Apr30 1:02
nginx: worker process
www-data 32452 0.0 0.3 65428 3420 ? S Apr30 0:59
nginx: worker process
www-data 32453 0.0 0.4 66324 4356 ? S Apr30 1:01
nginx: worker process
$

Wow thanks Sergey!
That did the trick.

I didn’t know that you could add a group as ‘supplementary’ when it was
already your ‘primary’ one… Kind of strange trick to do!
I am definitely not familiar with the way permissions are defined for
nux
users. ;o)

It’s strange that supplementary groups are handled correctly and that
Nginx
makes the assumption that the primary group has the same name as the
user
when it is not specified in the configuration.
Maxim noted my request as an ‘enhancement’. Since the logic is blurry I
would suggest to get back to ‘bug’! :oP

B. R.