permission error with php/nginx and not using www-data

manpreet Best Answer 2 years ago

-edit- whats even more curious is if I chmod 777 /var/run/php-fastcgi/php-fastcgi.socket this works. If it's not www-data, php-www (nor root) then what user is trying to access the socket :|

-edit2- I added chown www-data:$FASTCGI_GROUP $SOCKET to the end of the script below (which is right after spawn-fcgi) and that solves the problem, but I'm confused, www-data is in the php-www group. Why must it be owner. I didn't change FASTCGI_USER back to www-data bc it would defeat the purpose (it would allow the PHP files to access all my files as www-data which I don't want)

Essentially what I wanted to do is have the PHP process not be www-data so if it gets compromised its damage is limited to the very few PHP sites I have. What I did was create the user php-www and add its group to www-data. When I log in as www-data I can access everything ih php-www however php-www can't access anything but my PHP sites. perfect.

I got php+nginx running. But how changing it gives me a problem. I see www-data mention in a init.d script which changes the ownership of a folder. Its fine and I changed it to php-www. Thats not a problem.

What is the problem is the spawn script.

#!/bin/bash

FASTCGI_USER=php-www
FASTCGI_GROUP=php-www
SOCKET=/var/run/php-fastcgi/php-fastcgi.socket
PIDFILE=/var/run/php-fastcgi/php-fastcgi.pid
CHILDREN=6
PHP5=/usr/bin/php5-cgi

/usr/bin/spawn-fcgi -s $SOCKET -P $PIDFILE -C $CHILDREN -u $FASTCGI_USER -g $FASTCGI_GROUP -f $PHP5

the user/group lines use to say www-data but now I changed them to php-www.

I started php-fastcgi and nginx. When I visit my site I get a 502 bad gateway error. When I look in nginx logs I see this line

connect() to unix:/var/run/php-fastcgi/php-fastcgi.socket failed (13: Permission denied) while connecting to upstream

Permission denied!?! why!?! www-data does have the group php-www and stat that folder and socket shows owner and group php-www. I can access the PHP file with bot php-www and www-data. Why am I get a permission error? and what am I doing wrong?

in case you want to see my process

# ps aux | egrep "php|www"

shows

www-data   548  0.0  0.1   1908   492 ?        Ss   18:08   0:00 /usr/sbin/fcgiwrap
www-data   586  0.0  0.1   1908   488 ?        Ss   18:08   0:00 /usr/sbin/fcgiwrap
php-www   1611  0.0  1.9  19312  5020 ?        Ss   18:20   0:00 /usr/bin/php5-cgi
php-www   1612  0.0  0.7  19312  1856 ?        S    18:20   0:00 /usr/bin/php5-cgi
php-www   1613  0.0  0.7  19312  1856 ?        S    18:20   0:00 /usr/bin/php5-cgi
php-www   1614  0.0  0.7  19312  1856 ?        S    18:20   0:00 /usr/bin/php5-cgi
php-www   1615  0.0  0.7  19312  1856 ?        S    18:20   0:00 /usr/bin/php5-cgi
php-www   1616  0.0  0.7  19312  1856 ?        S    18:20   0:00 /usr/bin/php5-cgi
php-www   1617  0.0  0.7  19312  1856 ?        S    18:20   0:00 /usr/bin/php5-cgi
www-data  1776  0.0  0.6   5428  1684 ?        S    18:27   0:00 nginx: worker process
php-www   1967  0.0  1.9  19312  5020 ?        Ss   18:40   0:00 /usr/bin/php5-cgi
php-www   1968  0.0  0.7  19312  1856 ?        S    18:40   0:00 /usr/bin/php5-cgi
php-www   1969  0.0  0.7  19312  1856 ?        S    18:40   0:00 /usr/bin/php5-cgi
php-www   1970  0.0  0.7  19312  1856 ?        S    18:40   0:00 /usr/bin/php5-cgi
php-www   1971  0.0  0.7  19312  1856 ?        S    18:40   0:00 /usr/bin/php5-cgi
php-www   1972  0.0  0.7  19312  1856 ?        S    18:40   0:00 /usr/bin/php5-cgi
php-www   1973  0.0  0.7  19312  1856 ?        S    18:40   0:00 /usr/bin/php5-cgi
root      2110  0.0  0.2   3300   736 pts/1    S+   18:55   0:00 egrep php|www

manpreet 2 years ago

The socket probably isn't group readable and writeable.