PHP FPM gives permission denied?

Question

I read several entries on why PHP-FPM might give me permission denied but I can not solve it.

The error logs read like:

    2013/04/20 23:33:28 [crit] 15479#0: *6 open() "/var/lib/nginx/tmp/fastcgi
/2/00/0000000002" failed (13: Permission denied) while reading upstream, client: 
99.999.999.999, server: example.net, request: "GET /wp-admin/ HTTP/1.1", 
upstream: "fastcgi://unix:/tmp/php-fpm.sock:", host: "example.net", referrer:    
"http://example.net/"

Im a little but lost:

I have set the /var/lib/nginx/tmp to ec2-user (i even +777 everything to check)
I have set the /tmp/php-fpm.sock to ec2-user
the nginx conf file is set to ec2-user
the php-conf is set to user and group ec2-user
ps aux gives ec2-user on all php-fpm and nginx processes

My Nginx Configuration includes a lot of files , the basic conf is:

user              ec2-user ec2-user;
worker_processes  5;  
error_log /opt/nginx/error.log;    
pid        /var/run/nginx.pid;    
events {
    worker_connections  1024;
}
http {
    include       mime.types;
    default_type  application/octet-stream;    
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
    access_log /opt/nginx/access.log main;    
    sendfile        on;
    keepalive_timeout  65;
    client_max_body_size 13m;
    index index.php index.html index.htm;
    upstream php {
       server unix:/tmp/php-fpm.sock;
    }
    include /etc/nginx/conf.d/*.conf;
    include /mnt/web/nginx/conf.d/*.conf;
}

my /etc/nginx/conf.d/ is empty my /mnt/web/nginx/conf.d contain A LOT of website configurations which all include "wordpress.conf":

location / {
    try_files $uri $uri/ /index.php?$args;
}
rewrite /wp-admin$ $scheme://$host$uri/ permanent;
location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
    expires 24h;
    log_not_found off;
}
location ~ \.php$ {
    try_files $uri =404;    
    fastcgi_split_path_info ^(.+\.php)(/.+)$;
    include fastcgi_params;
    fastcgi_index index.php;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    fastcgi_pass php;
}

My /opt/php/etc/php-fpm.conf:

include=/opt/php/etc/fpm.d/*.conf
pid = run/php-fpm.pid
error_log = log/php-fpm.log
log_level = notice
[www]
listen = /tmp/php-fpm.sock
user = ec2-user
group = ec2-user
pm = dynamic
pm.max_children = 250
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
pm.status_path = /fpm-status
ping.path = /fpm-ping
slowlog = log/$pool.log.slow
catch_workers_output = yes

UPDATE: found the problem, put it in the answer

score 21 · Accepted Answer · answered Apr 21 '13 at 01:21

21

I had set the /var/lib/nginx/tmp to ec2-user/ec2-user (i even +777 everything to check)

But ... I also had to set /var/lib/nginx to ec2-user/ec2-user

... after also chown/chgrp the parent nginx folder : no more errors.

Took me some hours...

answered Apr 21 '13 at 01:21

edelwater

487

score 15 · Answer 2 · answered Dec 29 '16 at 22:13

This generally happens. When the user setting in nginx.conf is changed from

user nginx;

to something else. In this case,

user ec2-user ec2-user;

The chmod command is not necessary per Chris's comment, and could open up a security hole.

Solution:

Check the current user and group ownership on /var/lib/nginx.

$ ls -ld /var/lib/nginx
drwx------ 3 nginx nginx 4096 Aug  5 00:05 /var/lib/nginx

This tells you that a possibly non-existant user and group named nginx owns this folder. This prevents file uploading.

Change the folder ownership to the user defined in nginx.conf in this case ec2-user (sudo may not be required).

$ sudo chown -Rf ec2-user:ec2-user /var/lib/nginx

Verify that it actually changed.

$ ls -ld /var/lib/nginx
drwx------ 3 ec2-user ec2-user 4096 Aug  5 00:05 /var/lib/nginx

The permission denied error should now go away. Check the error.log (based on nginx.conf error_log location).

$ sudo nano /opt/nginx/error.log

If that doesn't work you might need to reload nginx and php-fpm.

$ sudo service nginx reload
$ sudo service php-fpm reload

score 3 · Answer 3 · answered May 21 '14 at 11:57

None of the other solutions worked for me, but I found this to work:

$ apt-get install php-pear php5-dev
$ pecl install timezonedb
$ echo 'extension=timezonedb.so'> /etc/php5/mods-available/timezonedb.ini
$ ln -sf /etc/php5/mods-available/timezonedb.ini /etc/php5/conf.d/30-timezonedb.ini
$ service php5-fpm restart

Source

score 1 · Answer 4 · answered Jul 05 '15 at 04:13

I have got the similar problem with file upload. nginx 500 error 2015/07/05 03:50:36 [crit] 3656#0: *7 open() "/var/lib/nginx/tmp/client_body/0000000007" failed (13: Permission denied), client: 10.0.2.2, server: www.test.com, request: "POST /api/v1/users HTTP/1.1", host: "test"

The issue was related to permission only, i just set chmod -R 755 /var/lib/nginx and things worked!

score 0 · Answer 5 · answered Jul 21 '17 at 20:29

Just solved my issue with permissions. The easiest way and most simple was to not run php-fpm or nginx as sudo (super user). What you would have to do is:

chown all log output locations for nginx to yourUserName:yourUserName example: chown yourUserName:yourUserName /var/log/nginx/error.log
Next update server dir as well example: chown yourUserName:yourUserName -R /var/www

By not using root i didn't have to change php-fpm user or group or any listening user or groups. Make sure you also comment out nginx.conf 'user' as it will be the current users name.

siliconrockstar · Answer 6 · 2019-04-26T04:59:46.630

Instead of editing permissions on /var/lib/nginx/whatever, wouldn't it make more sense to just tell nginx to use a different path like /tmp/nginx? This fixed the problem for me:

# create the directory
mkdir /tmp/nginx
chown -R nginx.nginx /tmp/nginx (assumes nginx user is named nginx)
chmod -R 700 /tmp/nginx

/tmp/nginx permissions should be 700 preferably (which shouldn't be a problem as long as the owner is the same user specified in /etc/nginx/nginx.conf 'user' directive) or 770 if for some reason you need to have a different file owner and nginx to perform i/o via group permissions. Never seen that but who knows.

On centos7, edit /etc/nginx/nginx.conf to tell nginx to use that new directory for client bodies

...

http {
  ...
  client_body_temp_path /tmp/nginx 1 2;
  ...
}

and restart nginx (again centos7)

systemctl restart nginx

PHP FPM gives permission denied?

6 Answers6