After an update of my PHP package, now that I am using the new
configuration files, I am setting up my new PHP-FPM UNIX socket.
My UNIX socket is:
Placed in /var/run/php-fpm.sock
Owner & group: ‘www-data’
Filemode: 0660
After restarting PHP-FPM, the new socket has the correct attributes.
My Nginx configuration spawns workers with the ‘nginx’ user, which
belongs
to the ‘www-data’ group (just checked through the ‘groups’ command).
However, Nginx can’t connect to the PHP socket, it seems to encounter
some
permissions problems: ‘*1 connect() to unix:/var/run/php-fpm.sock failed
(13: Permission denied) while connecting to upstream’
WHat am I doing wrong? Do I need something in particular in my Nginx
configuration?
My Nginx configuration spawns workers with the ‘nginx’ user, which belongs
to the ‘www-data’ group (just checked through the ‘groups’ command).
However, Nginx can’t connect to the PHP socket, it seems to encounter some
permissions problems: ‘*1 connect() to unix:/var/run/php-fpm.sock failed
(13: Permission denied) while connecting to upstream’
WHat am I doing wrong? Do I need something in particular in my Nginx
configuration?
Although everything seems correct, let’s double-check this. What’s the
output of following commands?
Following the advice of a friend, I made the Nginx user owner of the
socket.
Guess what: it works!
I restricted the chmod to 0600 to be sure the group was involved.
Now here is some questions:
Why can’t we use the group right on the socket?
Why is it the owner user who only has an impact on the effectiveness of
the
rights?
The group is useless here… I am a little lost following that logic.
I still don’t get it…
I even tried to put the UNIX socket file inside a directory whose owner
group was the ‘www-data’ one… Still ‘Permission denied’ in the Nginx
log
files!
I reverted temporarily to the old way to bind Nginx with PHP-FPM, using
the
standard TCP listening and restricting it to the local interface through
my
firewall.
If someone had an idea on this, I would be glad if he contributed!
As my nginx package (gathered from the Debian Sqeeze repository @Nginx)
specified, the maintainer should be “Sergey B.” [email protected].
However, I got a mailer daemon saying the user doesn’t exist…
How can I submit a bug to the Debian Squeeze Nginx package maintainer?
As my nginx package (gathered from the Debian Sqeeze repository @Nginx)
specified, the maintainer should be “Sergey B.” [email protected].
However, I got a mailer daemon saying the user doesn’t exist…
How can I submit a bug to the Debian Squeeze Nginx package maintainer?
As my nginx package (gathered from the Debian Sqeeze repository @Nginx)
specified, the maintainer should be “Sergey B.” [email protected].
However, I got a mailer daemon saying the user doesn’t exist…
Address exists actually, but you sent mail to @nginx.org, not to com.
How can I submit a bug to the Debian Squeeze Nginx package maintainer?
It is not a bug, check documentation: Core functionality
If you want to start nginx with www-data group credentials add
“user nginx www-data;”
to config file.
How can I submit a bug to the Debian Squeeze Nginx package maintainer?
It is not a bug, check documentation: Core functionality
If you want to start nginx with www-data group credentials add
“user nginx www-data;”
to config file.
BTW you also could add www-data as supplementary group to nginx user.
It will works too
Did you specify the www-data group in the ‘user’ configuration entry of
Nginx?
If you did so then this is why. It is what you shall do at the present
time
to allow group privileges to the worker processes.
I only specified the user ‘nginx’ and not any group, since I thought the
groups which nginx belongs to would could automatically be used for
access
privileges.
Maxim added a comment on the ticket and flagged it as a potential
enhancement, look at his comment: #165 (Nginx worker processes don't seem to have the right group permissions) – nginx
I guess I understand that if I don’t specify any group in the
configuation
file, then ‘nobody’ is used.
But Sergey confused me a littler about his ‘supplementary group’ piece
of
advice which I didn’t get.
Yeah I was wrong, the doc says that if u only set the user and not the
group, then the group used has the same name than the user: http://wiki.nginx.org/CoreModule#user
You are in the particular case so you didn’t see anything ;o)
That would be probably better with the enhancement, since Nginx will
effectively check which group is really the primary one of the user…
I didn’t know that you could add a group as ‘supplementary’ when it was
already your ‘primary’ one… Kind of strange trick to do!
I am definitely not familiar with the way permissions are defined for
nux
users. ;o)
It’s strange that supplementary groups are handled correctly and that
Nginx
makes the assumption that the primary group has the same name as the
user
when it is not specified in the configuration.
Maxim noted my request as an ‘enhancement’. Since the logic is blurry I
would suggest to get back to ‘bug’! :oP
B. R.
This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.