Categories

See More
Popular Forum

MBA (4887) B.Tech (1769) Engineering (1486) Class 12 (1030) Study Abroad (1004) Computer Science and Engineering (988) Business Management Studies (865) BBA (846) Diploma (746) CAT (651) B.Com (648) B.Sc (643) JEE Mains (618) Mechanical Engineering (574) Exam (525) India (462) Career (452) All Time Q&A (439) Mass Communication (427) BCA (417) Science (384) Computers & IT (Non-Engg) (383) Medicine & Health Sciences (381) Hotel Management (373) Civil Engineering (353) MCA (349) Tuteehub Top Questions (348) Distance (340) Colleges in India (334)
See More

permission error with php/nginx and not using www-data

General Tech Bugs & Fixes
Max. 2000 characters
Replies

usr_profile.png
Yasmin Mirza

User

( 6 months ago )

 

-edit- whats even more curious is if I chmod 777 /var/run/php-fastcgi/php-fastcgi.socket this works. If it's not www-data, php-www (nor root) then what user is trying to access the socket :|

-edit2- I added chown www-data:$FASTCGI_GROUP $SOCKET to the end of the script below (which is right after spawn-fcgi) and that solves the problem, but I'm confused, www-data is in the php-www group. Why must it be owner. I didn't change FASTCGI_USER back to www-data bc it would defeat the purpose (it would allow the PHP files to access all my files as www-data which I don't want)

Essentially what I wanted to do is have the PHP process not be www-data so if it gets compromised its damage is limited to the very few PHP sites I have. What I did was create the user php-www and add its group to www-data. When I log in as www-data I can access everything ih php-www however php-www can't access anything but my PHP sites. perfect.

I got php+nginx running. But how changing it gives me a problem. I see www-data mention in a init.d script which changes the ownership of a folder. Its fine and I changed it to php-www. Thats not a problem.

What is the problem is the spawn script.

#!/bin/bash

FASTCGI_USER=php-www
FASTCGI_GROUP=php-www
SOCKET=/var/run/php-fastcgi/php-fastcgi.socket
PIDFILE=/var/run/php-fastcgi/php-fastcgi.pid
CHILDREN=6
PHP5=/usr/bin/php5-cgi

/usr/bin/spawn-fcgi -s $SOCKET -P $PIDFILE -C $CHILDREN -u $FASTCGI_USER -g $FASTCGI_GROUP -f $PHP5

the user/group lines use to say www-data but now I changed them to php-www.

I started php-fastcgi and nginx. When I visit my site I get a 502 bad gateway error. When I look in nginx logs I see this line

connect() to unix:/var/run/php-fastcgi/php-fastcgi.socket failed (13: Permission denied) while connecting to upstream

Permission denied!?! why!?! www-data does have the group php-www and stat that folder and socket shows owner and group php-www. I can access the PHP file with bot php-www and www-data. Why am I get a permission error? and what am I doing wrong?

in case you want to see my process

# ps aux | egrep "php|www"

shows

www-data   548  0.0  0.1   1908   492 ?        Ss   18:08   0:00 /usr/sbin/fcgiwrap
www-data   586  0.0  0.1   1908   488 ?        Ss   18:08   0:00 /usr/sbin/fcgiwrap
php-www   1611  0.0  1.9  19312  5020 ?        Ss   18:20   0:00 /usr/bin/php5-cgi
php-www   1612  0.0  0.7  19312  1856 ?        S    18:20   0:00 /usr/bin/php5-cgi
php-www   1613  0.0  0.7  19312  1856 ?        S    18:20   0:00 /usr/bin/php5-cgi
php-www   1614  0.0  0.7  19312  1856 ?        S    18:20   0:00 /usr/bin/php5-cgi
php-www   1615  0.0  0.7  19312  1856 ?        S    18:20   0:00 /usr/bin/php5-cgi
php-www   1616  0.0  0.7  19312  1856 ?        S    18:20   0:00 /usr/bin/php5-cgi
php-www   1617  0.0  0.7  19312  1856 ?        S    18:20   0:00 /usr/bin/php5-cgi
www-data  1776  0.0  0.6   5428  1684 ?        S    18:27   0:00 nginx: worker process
php-www   1967  0.0  1.9  19312  5020 ?        Ss   18:40   0:00 /usr/bin/php5-cgi
php-www   1968  0.0  0.7  19312  1856 ?        S    18:40   0:00 /usr/bin/php5-cgi
php-www   1969  0.0  0.7  19312  1856 ?        S    18:40   0:00 /usr/bin/php5-cgi
php-www   1970  0.0  0.7  19312  1856 ?        S    18:40   0:00 /usr/bin/php5-cgi
php-www   1971  0.0  0.7  19312  1856 ?        S    18:40   0:00 /usr/bin/php5-cgi
php-www   1972  0.0  0.7  19312  1856 ?        S    18:40   0:00 /usr/bin/php5-cgi
php-www   1973  0.0  0.7  19312  1856 ?        S    18:40   0:00 /usr/bin/php5-cgi
root      2110  0.0  0.2   3300   736 pts/1    S+   18:55   0:00 egrep php|www

usr_profile.png
Kajal Gaur

User

( 6 months ago )

The socket probably isn't group readable and writeable.

what's your interest


forum_ban8_5d8c5fd7cf6f7.gif