nginx error connect to php5-fpm.sock failed (13: Permission denied)
I had a similar error after php update. PHP fixed a security bug where o
had rw
permission to the socket file.
- Open
/etc/php5/fpm/pool.d/www.conf
or/etc/php/7.0/fpm/pool.d/www.conf
, depending on your version. Uncomment all permission lines, like:
listen.owner = www-datalisten.group = www-datalisten.mode = 0660
Restart fpm -
sudo service php5-fpm restart
orsudo service php7.0-fpm restart
Note: if your webserver runs as user other than www-data, you will need to update the www.conf
file accordingly
All the fixes currently mentioned here basically enable the security hole all over again.
What I ended up doing is adding the following lines to my PHP-FPM configuration file.
listen.owner = www-datalisten.group = www-data
Make sure that www-data is actually the user the nginx worker is running as. For debian it's www-data by default.
Doing it this way does not enable the security problem that this change was supposed to fix.
@Xander's solution works, but does not persist after a reboot.
I found that I had to change listen.mode
to 0660
in /etc/php5/fpm/pool.d/www.conf
.
Sample from www.conf:
; Set permissions for unix socket, if one is used. In Linux, read/write; permissions must be set in order to allow connections from a web server. Many; BSD-derived systems allow connections regardless of permissions. ; Default Values: user and group are set as the running user; mode is set to 0660;listen.owner = www-data;listen.group = www-data;listen.mode = 0660
Edit: Per @Chris Burgess, I've changed this to the more secure method.
I removed the comment for listen.mode, .group and .owner:
listen.owner = www-datalisten.group = www-datalisten.mode = 0660
/var/run Only holds information about the running system since last boot, e.g., currently logged-in users and running daemons. (http://en.wikipedia.org/wiki/Filesystem_Hierarchy_Standard#Directory_structure).
Side note:
My php5-fpm -v
Reports: PHP 5.4.28-1+deb.sury.org~precise+1
. The issue did happen after a recent update as well.