12

I read several entries on why PHP-FPM might give me permission denied but I can not solve it.

The error logs read like:

    2013/04/20 23:33:28 [crit] 15479#0: *6 open() "/var/lib/nginx/tmp/fastcgi
/2/00/0000000002" failed (13: Permission denied) while reading upstream, client: 
99.999.999.999, server: example.net, request: "GET /wp-admin/ HTTP/1.1", 
upstream: "fastcgi://unix:/tmp/php-fpm.sock:", host: "example.net", referrer:    
"http://example.net/"

Im a little but lost:

  1. I have set the /var/lib/nginx/tmp to ec2-user (i even +777 everything to check)
  2. I have set the /tmp/php-fpm.sock to ec2-user
  3. the nginx conf file is set to ec2-user
  4. the php-conf is set to user and group ec2-user
  5. ps aux gives ec2-user on all php-fpm and nginx processes

My Nginx Configuration includes a lot of files , the basic conf is:

user              ec2-user ec2-user;
worker_processes  5;  
error_log /opt/nginx/error.log;    
pid        /var/run/nginx.pid;    
events {
    worker_connections  1024;
}
http {
    include       mime.types;
    default_type  application/octet-stream;    
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
    access_log /opt/nginx/access.log main;    
    sendfile        on;
    keepalive_timeout  65;
    client_max_body_size 13m;
    index index.php index.html index.htm;
    upstream php {
       server unix:/tmp/php-fpm.sock;
    }
    include /etc/nginx/conf.d/*.conf;
    include /mnt/web/nginx/conf.d/*.conf;
}

my /etc/nginx/conf.d/ is empty my /mnt/web/nginx/conf.d contain A LOT of website configurations which all include "wordpress.conf":

location / {
    try_files $uri $uri/ /index.php?$args;
}
rewrite /wp-admin$ $scheme://$host$uri/ permanent;
location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
    expires 24h;
    log_not_found off;
}
location ~ \.php$ {
    try_files $uri =404;    
    fastcgi_split_path_info ^(.+\.php)(/.+)$;
    include fastcgi_params;
    fastcgi_index index.php;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    fastcgi_pass php;
}

My /opt/php/etc/php-fpm.conf:

include=/opt/php/etc/fpm.d/*.conf
pid = run/php-fpm.pid
error_log = log/php-fpm.log
log_level = notice
[www]
listen = /tmp/php-fpm.sock
user = ec2-user
group = ec2-user
pm = dynamic
pm.max_children = 250
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
pm.status_path = /fpm-status
ping.path = /fpm-ping
slowlog = log/$pool.log.slow
catch_workers_output = yes

UPDATE: found the problem, put it in the answer

edelwater
  • 487
  • 1
  • 4
  • 12

6 Answers6

21

I had set the /var/lib/nginx/tmp to ec2-user/ec2-user (i even +777 everything to check)

But ... I also had to set /var/lib/nginx to ec2-user/ec2-user

... after also chown/chgrp the parent nginx folder : no more errors.

Took me some hours...

edelwater
  • 487
  • 1
  • 4
  • 12
  • 8
    `chown -Rf www-data:www-data /var/lib/nginx` worked for me. didn't need to chmod anything. – Chris Jul 24 '15 at 20:48
  • checking log files helps always, remember to check them before anything :) – sorrow poetry Jul 12 '18 at 22:59
  • Worked for me. Had the same problem. /var/lib/nginx/ and /var/lib/nginx/tmp/ has owner "nobody". After switching to property user name it successfully created several folders under /tmp/. – Aleksey Kuznetsov Mar 24 '21 at 23:37
13

This generally happens. When the user setting in nginx.conf is changed from 

user nginx;

to something else. In this case, 

user ec2-user ec2-user;

The chmod command is not necessary per Chris's comment, and could open up a security hole.

Solution:

Check the current user and group ownership on /var/lib/nginx.

$ ls -ld /var/lib/nginx
drwx------ 3 nginx nginx 4096 Aug  5 00:05 /var/lib/nginx

This tells you that a possibly non-existant user and group named nginx owns this folder. This prevents file uploading.

Change the folder ownership to the user defined in nginx.conf in this case ec2-user (sudo may not be required).

$ sudo chown -Rf ec2-user:ec2-user /var/lib/nginx

Verify that it actually changed.

$ ls -ld /var/lib/nginx
drwx------ 3 ec2-user ec2-user 4096 Aug  5 00:05 /var/lib/nginx

The permission denied error should now go away. Check the error.log (based on nginx.conf error_log location).

$ sudo nano /opt/nginx/error.log

If that doesn't work you might need to reload nginx and php-fpm.

$ sudo service nginx reload
$ sudo service php-fpm reload
nu everest
  • 907
  • 3
  • 13
  • 27
3

None of the other solutions worked for me, but I found this to work:

$ apt-get install php-pear php5-dev
$ pecl install timezonedb
$ echo 'extension=timezonedb.so'> /etc/php5/mods-available/timezonedb.ini
$ ln -sf /etc/php5/mods-available/timezonedb.ini /etc/php5/conf.d/30-timezonedb.ini
$ service php5-fpm restart

Source

nullvariable
  • 131
  • 4
  • Ok, we tried several solutions and this is the one that worked. We dont know why it worked or what the problem was, but it did. – Ne Ma Jun 11 '15 at 12:56
1

I have got the similar problem with file upload. nginx 500 error 2015/07/05 03:50:36 [crit] 3656#0: *7 open() "/var/lib/nginx/tmp/client_body/0000000007" failed (13: Permission denied), client: 10.0.2.2, server: www.test.com, request: "POST /api/v1/users HTTP/1.1", host: "test"

The issue was related to permission only, i just set chmod -R 755 /var/lib/nginx and things worked!

Bishwanath Jha
  • 111
  • 1
0

Just solved my issue with permissions. The easiest way and most simple was to not run php-fpm or nginx as sudo (super user). What you would have to do is:

  1. chown all log output locations for nginx to yourUserName:yourUserName example: chown yourUserName:yourUserName /var/log/nginx/error.log
  2. Next update server dir as well example: chown yourUserName:yourUserName -R /var/www

By not using root i didn't have to change php-fpm user or group or any listening user or groups. Make sure you also comment out nginx.conf 'user' as it will be the current users name.

c-l-h
  • 1
  • Please don't post the same answer multiple times. Also, this problem has long been solved. – Sven Jul 21 '17 at 21:18
0

Instead of editing permissions on /var/lib/nginx/whatever, wouldn't it make more sense to just tell nginx to use a different path like /tmp/nginx? This fixed the problem for me:

# create the directory
mkdir /tmp/nginx
chown -R nginx.nginx /tmp/nginx (assumes nginx user is named nginx)
chmod -R 700 /tmp/nginx

/tmp/nginx permissions should be 700 preferably (which shouldn't be a problem as long as the owner is the same user specified in /etc/nginx/nginx.conf 'user' directive) or 770 if for some reason you need to have a different file owner and nginx to perform i/o via group permissions. Never seen that but who knows.

On centos7, edit /etc/nginx/nginx.conf to tell nginx to use that new directory for client bodies

...

http {
  ...
  client_body_temp_path /tmp/nginx 1 2;
  ...
}

and restart nginx (again centos7)

systemctl restart nginx
siliconrockstar
  • 146
  • 4
  • 2
    Never chmod 777 anything. Especially not the cache! Now any local user can rewrite your cache and send potentially malicious data to your users. For uploads, someone could substitute their own upload instead. – Michael Hampton Apr 26 '19 at 04:51
  • Jesus dude relax, this build is part of a demo cluster. But good catch for people who might not know better, I'll edit the answer. – siliconrockstar Apr 26 '19 at 04:57