Advertisement
Advertisement


nginx error connect to php5-fpm.sock failed (13: Permission denied)


Question

I update nginx to 1.4.7 and php to 5.5.12, After that I got the 502 error. Before I update everything works fine.

nginx-error.log

2014/05/03 13:27:41 [crit] 4202#0: *1 connect() to unix:/var/run/php5-fpm.sock failed (13: Permission denied) while connecting to upstream, client: xx.xxx.xx.xx, server: localhost, request: "GET / HTTP/1.1", upstream: "fastcgi://unix:/var/run/php5-fpm.sock:", host: "xx.xx.xx.xx"

nginx.conf

user  www www;
worker_processes  1;

        location / {
            root   /usr/home/user/public_html;
            index  index.php index.html index.htm;
        }
        location ~ [^/]\.php(/|$) {
            fastcgi_split_path_info ^(.+?\.php)(/.*)$;
            fastcgi_pass unix:/var/run/php5-fpm.sock;
            fastcgi_index index.php;
            fastcgi_param  SCRIPT_FILENAME    /usr/home/user/public_html$fastcgi_script_name;
            include fastcgi_params;
        }
2014/06/02
1
291
6/2/2014 8:25:59 AM

Accepted Answer

I had a similar error after php update. PHP fixed a security bug where o had rw permission to the socket file.

  1. Open /etc/php5/fpm/pool.d/www.conf or /etc/php/7.0/fpm/pool.d/www.conf, depending on your version.
  2. Uncomment all permission lines, like:

    listen.owner = www-data
    listen.group = www-data
    listen.mode = 0660
    
  3. Restart fpm - sudo service php5-fpm restart or sudo service php7.0-fpm restart

Note: if your webserver runs as user other than www-data, you will need to update the www.conf file accordingly

2016/09/25
629
9/25/2016 9:21:52 PM

All the fixes currently mentioned here basically enable the security hole all over again.

What I ended up doing is adding the following lines to my PHP-FPM configuration file.

listen.owner = www-data
listen.group = www-data

Make sure that www-data is actually the user the nginx worker is running as. For debian it's www-data by default.

Doing it this way does not enable the security problem that this change was supposed to fix.

2014/05/14

@Xander's solution works, but does not persist after a reboot.

I found that I had to change listen.mode to 0660 in /etc/php5/fpm/pool.d/www.conf.

Sample from www.conf:

; Set permissions for unix socket, if one is used. In Linux, read/write
; permissions must be set in order to allow connections from a web server. Many
; BSD-derived systems allow connections regardless of permissions. 
; Default Values: user and group are set as the running user
;                 mode is set to 0660
;listen.owner = www-data
;listen.group = www-data
;listen.mode = 0660

Edit: Per @Chris Burgess, I've changed this to the more secure method.

I removed the comment for listen.mode, .group and .owner:

listen.owner = www-data
listen.group = www-data
listen.mode = 0660

/var/run Only holds information about the running system since last boot, e.g., currently logged-in users and running daemons. (http://en.wikipedia.org/wiki/Filesystem_Hierarchy_Standard#Directory_structure).

Side note:

My php5-fpm -v Reports: PHP 5.4.28-1+deb.sury.org~precise+1. The issue did happen after a recent update as well.

2014/05/16

If you have tried everything in this post but are not having success getting PHP to work, this is what fixed it for my case:

Make sure you have these lines uncommented in /etc/php5/fpm/pool.d/www.conf:

listen.owner = www-data
listen.group = www-data
listen.mode = 0660

Make sure /etc/nginx/fastcgi_params looks like this:

fastcgi_param  QUERY_STRING       $query_string;
fastcgi_param  REQUEST_METHOD     $request_method;
fastcgi_param  CONTENT_TYPE       $content_type;
fastcgi_param  CONTENT_LENGTH     $content_length;

fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
fastcgi_param  REQUEST_URI        $request_uri;
fastcgi_param  DOCUMENT_URI       $document_uri;
fastcgi_param  DOCUMENT_ROOT      $document_root;
fastcgi_param  SCRIPT_FILENAME    $document_root$fastcgi_script_name;
fastcgi_param  SERVER_PROTOCOL    $server_protocol;
fastcgi_param  PATH_INFO          $fastcgi_script_name;
fastcgi_param  HTTPS              $https if_not_empty;

fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;

fastcgi_param  REMOTE_ADDR        $remote_addr;
fastcgi_param  REMOTE_PORT        $remote_port;
fastcgi_param  SERVER_ADDR        $server_addr;
fastcgi_param  SERVER_PORT        $server_port;
fastcgi_param  SERVER_NAME        $server_name;

# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param  REDIRECT_STATUS    200;

These two lines were missing from my /etc/nginx/fastcgi_params, make sure they are there!

fastcgi_param  SCRIPT_FILENAME    $document_root$fastcgi_script_name;
fastcgi_param  PATH_INFO          $fastcgi_script_name;

Then, restart php5-fpm and nginx. Should do the trick.

2014/10/01

In fact, "listen.mode" should be: "0660" and not "0666" as Other Writable or Other Readable is never a good choice here.

So try to find out as which user/group your webserver runs. I use CentOs and it runs as user "nginx" So add to your php-fpm.conf:

listen.owner = nginx
listen.group = nginx
listen.mode = 0660

finally restart php-fpm

2014/06/13

Check which user runs nginx. As of Ubuntu 12.04 nginx runs by nginx user which is not a member of www-data group.

usermod -a -G www-data nginx

and restarting nginx and php5-fpm daemons solves the problem.

2015/01/10