Jump to content
Froxlor Forum
  • 0

permissions issue with php-fpm (Apache and nginx)


OliverRahner

Question

Hi,

because I had some issues with HTTP2 and php via fcgid under Apache I tried to switch to php_fpm.

While I was at it, I noticed a problem that I couldn't pinpoint and decided to try nginx. The issue stayed the same, basically these log entries:

nginx:

connect() to unix:/var/lib/apache2/fastcgi/domainname.de-php-fpm.socket failed (13: Permission denied) while connecting to upstream, client: xx.xx.xx.xx, server: domainname.de, request: "GET /favicon.ico HTTP/1.1", upstream: "fastcgi://unix:/var/lib/apache2/fastcgi/domainname.de-php-fpm.socket:", host: "domainname.de", referrer: "https://domainname.de/"

Apache:

(13)Permission denied: [client xx.xx.xx.xx:63318] FastCGI: failed to connect to server "/var/www/php-fpm/web2/domainname.de/ssl-fpm.external": connect() failed

The way I understand this problem:

By design, php-fpm sockets created by Froxlor have permissions which only allow the vhost user to connect.
But neither Apache nor nginx are told anywhere under which identity to connect to the socket.

The SuExecUserGroup line in the vhost config file for Apache which does this for fcgid vanished when switching to php-fpm.

I currently solved the problem by changing the line "listen.owner" inside the php-fpm pools to "www-data".
That should not lower security, because php-fpm in itself takes care that the php process runs as the vhost user.

 

Can someone tell me where I misunderstood the whole concept?

Link to comment
Share on other sites

4 answers to this question

Recommended Posts

Well, the webserver user should be in the group of the user...so you should check your libnss/nscd configs/stuff. Also this has nothing to do with http2, which works fine with apache + fpm (using that myself)

Link to comment
Share on other sites

The HTTP2 issue was something totally unrelated (namely that for some reason, I could only exec one php thread PER VHOST at the same time :-P), I mentioned it just for completeness.

I just checked and at some point in the past, the official libnss config file changed which I didn't notice. That is why www-data was not a member of all the users' group. I updated the libnss config, and... tadaaa, everything works.

To be honest, I ignored all hints I found online regarding misconfigured libnss, because my libnss seemed to work. I could do "id web2" etc. and get seemingly ok results.

But is there any reason, why adding www-data to the users' groups is better than just accepting socket connections to php-fpm by www-data?

Thanks for your help.

Link to comment
Share on other sites

On 6.6.2017 at 2:42 PM, OliverRahner said:

But is there any reason, why adding www-data to the users' groups is better than just accepting socket connections to php-fpm by www-data?

Because created files by php would then be owned by www-data and not the customer, that's why the webserver is only a group member for the customer

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...