Connect to FPM Socket Permission Denied after upgrade to PHP 5.5.12

If you’ve just upgraded your web server to PHP-FPM you probably noticed that your web sites went down and your Nginx logs or whatever server you are using are giving you an error message that include the following statement:

connect() to unix:/var/run/www.sock failed (13: Permission denied) while connecting to upstream

To provide some context for this problem see http://www.openwall.com/lists/oss-security/2014/04/29/5

What was happening before is that the sockets were being created with a mode (permissions) of 0666 which makes it possible in theory for any web site to connect to them. This could be a security issue for shared hosting as an example.
So the security fix was to have PHP-FPM create the sockets with a permission mode of 0660 instead.

Now the problem with most default web server configurations is that the sockets are created under the root user while nginx or apache are running as a web server such as www-data. This means the web server is not able to read the PHP socket.

The Solution

The solution is very simple which you can find at stackoverflow http://stackoverflow.com/a/23596317/1195553

You simply add the following 2 lines to your PHP-FPM web site configuration before or after you set the path to the socket itself.

listen.owner = www-data
listen.group = www-data

This causes the the socket to be created with the owner and group of www-data which allows the web frontend to access the socket without any permission issues.

Happy administration!

Leave a Reply

Your email address will not be published. Required fields are marked *