55

I have a PHP script that creates a directory and outputs an image to the directory. This was working just fine under Apache but we recently decided to switch to NGINX to make more use of our limited RAM. I'm using the PHP mkdir() command to create the directory:

mkdir(dirname($path['image']['server']), 0755, true);

After the switch to NGINX, I'm getting the following warning:

Warning: mkdir(): Permission denied in ...

I've already checked all the permissions of the parent directories, so I've determined that I probably need to change the NGINX or PHP-FPM 'user' but I'm not sure how to do that (I never had to specify user permissions for APACHE). I can't seem to find much information on this. Any help would be great!

(Note: Besides this little hang-up, the switch to NGINX has been pretty seamless; I'm using it for the first time and it literally only took about 10 minutes to get up and running with NGINX. Now I'm just ironing out the kinks.)

bignose
  • 942
  • 10
  • 20
David
  • 745
  • 3
  • 7
  • 10
  • 1
    If nginx was installed by a package manager, the best is probably to just use 'ps' to see what user nginx is running as and change the owner of the directory to that user. Usually security is set up pretty well by default by the packages, changing user may upset something else. – Joachim Isaksson Sep 29 '12 at 15:18
  • `nginx.conf` and `www.conf` by default IIRC. – PeeHaa Sep 29 '12 at 15:21
  • If you're using fastcgi, check if you can suexec the phpscripts. that will allow you to run different sites under their specific user. I'm sure some setup instructions are available online. – hakre Sep 29 '12 at 15:22

4 Answers4

79

Run nginx & php-fpm as www:www

###1. Nginx

Edit nginx.conf and set user to www www;:

user www www;

If the master process is run as root, then nginx will setuid()/setgid() to USER/GROUP. If GROUP is not specified, then nginx uses the same name as USER. By default it's nobody user and nobody or nogroup group or the --user=USER and --group=GROUP from the ./configure script.

###2. PHP-FPM

Edit php-fpm.conf and set user and group to www:

[www]
user=www
group=www

user - Unix user of processes. Default "www-data"

group - Unix group of processes. Default "www-data"

Gogowitsch
  • 304
  • 2
  • 10
glavić
  • 928
  • 7
  • 11
  • 1
    Okay I just changed nginx.conf (it was set to `user www-data`). However, I don't see *any* user defined in `php-fpm.conf`. Should I just add it to the top using the same syntax (`user www www`)? – David Sep 29 '12 at 15:29
  • php-conf syntax is not the same os nginx.conf. Find `[www]` part and add `user=www` in next line, and `group=www` in the next. – glavić Sep 29 '12 at 15:30
  • I got the following error when restarting nginx: Restarting nginx: `[emerg] getpwnam("www") failed in /etc/nginx/nginx.conf:1 nginx: configuration file /etc/nginx/nginx.conf test failed`. – David Sep 29 '12 at 15:45
  • Then you can either run Nginx and php-fpm as the user that has appropriate permissions for the appropriate directories or create a new user called www by running "sudo useradd -g www www". Please let us know, if you need more detailed explanation. – Roman Prykhodchenko Sep 29 '12 at 16:01
  • is there any reason as to why you'd need to use `www` instead of the already existing `www-data` ? – xorinzor Nov 30 '16 at 21:47
  • 3
    @xorinzor: no, use what you have :D – glavić Dec 01 '16 at 09:25
  • in nginx.con I am having ```user "myname" staff;``` and In fpm.conf I am having nobody in both user and group what should I do ? – Furquan May 12 '20 at 16:20
34

In Ubuntu 14.04 the file to change user and group in PHP-FPM is: /etc/php5/fpm/pool.d/www.conf. In this file change these parameters:

user = www
group = www
listen.owner = www
listen.group = www
iarroyo
  • 443
  • 4
  • 6
7

To answer your actual question is to just change the user line in nginx.conf like so:

user    [username];

Example:

user    www-data;

The preferred user for Nginx to run as actually differs between operating systems. Sometimes Nginx is supposed to run as www-data. Other times it is actually supposed to run as nobody.

On some operating systems (such as Windows), it doesn't even matter, and the user line in nginx.conf can be commented out or entirely excluded.

rubynorails
  • 369
  • 3
  • 14
  • If I add the user directive in and restart Nginx service, it throws an error saying that the 'user' is an unknwn directive - is it therefore ok just to leave it out? – JoeTidee Jun 28 '16 at 10:29
  • Yes, depending on OS and/or Nginx, some versions do not require an explicit user directive. – rubynorails Jun 29 '16 at 20:35
  • I had to place the user directive at the very top of my Nginx config file for it to be recognized. – JoeTidee Jun 30 '16 at 08:27
3

The following solution worked changing the web user with me using Ubuntu 18.04 LTS, nginx 1.14 and php7.2-fpm.

1. Nginx

Edit /etc/nginx/nginx.conf and set the user to webuser;

user webuser;

2. PHP-FPM

Edit /etc/php/7.2/fpm/pool.d/www.conf.

user = webuser
group = webuser
...
listen.owner = webuser
listen.group = webuser
AboElnouR
  • 131
  • 4