12

I read several entries on why PHP-FPM might give me permission denied but I can not solve it.

The error logs read like:

 2013/04/20 23:33:28 [crit] 15479#0: *6 open() "/var/lib/nginx/tmp/fastcgi /2/00/0000000002" failed (13: Permission denied) while reading upstream, client: 99.999.999.999, server: example.net, request: "GET /wp-admin/ HTTP/1.1", upstream: "fastcgi://unix:/tmp/php-fpm.sock:", host: "example.net", referrer: "http://example.net/"

Im a little but lost:

  1. I have set the /var/lib/nginx/tmp to ec2-user (i even +777 everything to check)
  2. I have set the /tmp/php-fpm.sock to ec2-user
  3. the nginx conf file is set to ec2-user
  4. the php-conf is set to user and group ec2-user
  5. ps aux gives ec2-user on all php-fpm and nginx processes

My Nginx Configuration includes a lot of files , the basic conf is:

user ec2-user ec2-user; worker_processes 5; error_log /opt/nginx/error.log; pid /var/run/nginx.pid; events { worker_connections 1024; } http { include mime.types; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /opt/nginx/access.log main; sendfile on; keepalive_timeout 65; client_max_body_size 13m; index index.php index.html index.htm; upstream php { server unix:/tmp/php-fpm.sock; } include /etc/nginx/conf.d/*.conf; include /mnt/web/nginx/conf.d/*.conf; }

my /etc/nginx/conf.d/ is empty my /mnt/web/nginx/conf.d contain A LOT of website configurations which all include "wordpress.conf":

location / { try_files $uri $uri/ /index.php?$args; } rewrite /wp-admin$ $scheme://$host$uri/ permanent; location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ { expires 24h; log_not_found off; } location ~ \.php$ { try_files $uri =404; fastcgi_split_path_info ^(.+\.php)(/.+)$; include fastcgi_params; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_pass php; }

My /opt/php/etc/php-fpm.conf:

include=/opt/php/etc/fpm.d/*.conf pid = run/php-fpm.pid error_log = log/php-fpm.log log_level = notice [www] listen = /tmp/php-fpm.sock user = ec2-user group = ec2-user pm = dynamic pm.max_children = 250 pm.start_servers = 20 pm.min_spare_servers = 5 pm.max_spare_servers = 35 pm.max_requests = 500 pm.status_path = /fpm-status ping.path = /fpm-ping slowlog = log/$pool.log.slow catch_workers_output = yes

UPDATE: found the problem, put it in the answer

Improve this question
13
  • 1
    is selinux enabled ? run getenforce or cat /selinux/enforce if is not 0 is enabled Commented Apr 20, 2013 at 23:48
  • 1
    What's the rest of your nginx configuration? Commented Apr 20, 2013 at 23:51
  • 1
    your socket from log file is /tmp/php-fpm.sock but you changed /var/lib/nginx/tmp - did you do chroot in nginx ? Commented Apr 20, 2013 at 23:51
  • 1
    send the output from the command mount Commented Apr 21, 2013 at 0:12
  • 1
    also look that all directories in your home ... see serverfault.com/questions/170192/… Commented Apr 21, 2013 at 0:50

6 Answers 6

Reset to default
21

I had set the /var/lib/nginx/tmp to ec2-user/ec2-user (i even +777 everything to check)

But ... I also had to set /var/lib/nginx to ec2-user/ec2-user

... after also chown/chgrp the parent nginx folder : no more errors.

Took me some hours...

Improve this answer
3
  • 8
    chown -Rf www-data:www-data /var/lib/nginx worked for me. didn't need to chmod anything. Commented Jul 24, 2015 at 20:48
  • checking log files helps always, remember to check them before anything :) Commented Jul 12, 2018 at 22:59
  • Worked for me. Had the same problem. /var/lib/nginx/ and /var/lib/nginx/tmp/ has owner "nobody". After switching to property user name it successfully created several folders under /tmp/. Commented Mar 24, 2021 at 23:37
15

This generally happens. When the user setting in nginx.conf is changed from 

user nginx;

to something else. In this case, 

user ec2-user ec2-user;

The chmod command is not necessary per Chris's comment, and could open up a security hole.

Solution:

Check the current user and group ownership on /var/lib/nginx.

$ ls -ld /var/lib/nginx drwx------ 3 nginx nginx 4096 Aug 5 00:05 /var/lib/nginx

This tells you that a possibly non-existant user and group named nginx owns this folder. This prevents file uploading.

Change the folder ownership to the user defined in nginx.conf in this case ec2-user (sudo may not be required).

$ sudo chown -Rf ec2-user:ec2-user /var/lib/nginx

Verify that it actually changed.

$ ls -ld /var/lib/nginx drwx------ 3 ec2-user ec2-user 4096 Aug 5 00:05 /var/lib/nginx

The permission denied error should now go away. Check the error.log (based on nginx.conf error_log location).

$ sudo nano /opt/nginx/error.log

If that doesn't work you might need to reload nginx and php-fpm.

$ sudo service nginx reload $ sudo service php-fpm reload
Improve this answer
3
  • That did the trick on my google cloud Centos 7 server. Commented Jun 19, 2019 at 6:05
  • Or if not using AWS, as per another user's comment, try: chown -Rf www-data:www-data /var/lib/nginx Commented Jul 22, 2023 at 18:19
  • solved same problem on debian 12 with nginx + php-fpm Commented Jan 16, 2024 at 8:36
3

None of the other solutions worked for me, but I found this to work:

$ apt-get install php-pear php5-dev $ pecl install timezonedb $ echo 'extension=timezonedb.so'> /etc/php5/mods-available/timezonedb.ini $ ln -sf /etc/php5/mods-available/timezonedb.ini /etc/php5/conf.d/30-timezonedb.ini $ service php5-fpm restart

Source

Improve this answer
1
  • Ok, we tried several solutions and this is the one that worked. We dont know why it worked or what the problem was, but it did. Commented Jun 11, 2015 at 12:56
1

I have got the similar problem with file upload. nginx 500 error 2015/07/05 03:50:36 [crit] 3656#0: *7 open() "/var/lib/nginx/tmp/client_body/0000000007" failed (13: Permission denied), client: 10.0.2.2, server: www.test.com, request: "POST /api/v1/users HTTP/1.1", host: "test"

The issue was related to permission only, i just set chmod -R 755 /var/lib/nginx and things worked!

Improve this answer
0

Just solved my issue with permissions. The easiest way and most simple was to not run php-fpm or nginx as sudo (super user). What you would have to do is:

  1. chown all log output locations for nginx to yourUserName:yourUserName example: chown yourUserName:yourUserName /var/log/nginx/error.log
  2. Next update server dir as well example: chown yourUserName:yourUserName -R /var/www

By not using root i didn't have to change php-fpm user or group or any listening user or groups. Make sure you also comment out nginx.conf 'user' as it will be the current users name.

Improve this answer
1
  • Please don't post the same answer multiple times. Also, this problem has long been solved. Commented Jul 21, 2017 at 21:18
0

Instead of editing permissions on /var/lib/nginx/whatever, wouldn't it make more sense to just tell nginx to use a different path like /tmp/nginx? This fixed the problem for me:

# create the directory mkdir /tmp/nginx chown -R nginx.nginx /tmp/nginx (assumes nginx user is named nginx) chmod -R 700 /tmp/nginx

/tmp/nginx permissions should be 700 preferably (which shouldn't be a problem as long as the owner is the same user specified in /etc/nginx/nginx.conf 'user' directive) or 770 if for some reason you need to have a different file owner and nginx to perform i/o via group permissions. Never seen that but who knows.

On centos7, edit /etc/nginx/nginx.conf to tell nginx to use that new directory for client bodies

... http { ... client_body_temp_path /tmp/nginx 1 2; ... }

and restart nginx (again centos7)

systemctl restart nginx
Improve this answer
2
  • 2
    Never chmod 777 anything. Especially not the cache! Now any local user can rewrite your cache and send potentially malicious data to your users. For uploads, someone could substitute their own upload instead. Commented Apr 26, 2019 at 4:51
  • Jesus dude relax, this build is part of a demo cluster. But good catch for people who might not know better, I'll edit the answer. Commented Apr 26, 2019 at 4:57

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.