Analysis and Solution for Nginx Connection to PHP-FPM Socket Permission Denied Error

Keywords: Nginx | PHP-FPM | Permission Denied | Unix Socket | System Configuration

Abstract: This technical article provides an in-depth analysis of permission denied errors when Nginx connects to PHP-FPM sockets, offering comprehensive troubleshooting and resolution strategies through system permission configuration, security policy adjustments, and service coordination mechanisms. With detailed error logs and configuration examples, it explains the root causes and repair procedures to help developers and system administrators quickly identify and resolve such issues.

Problem Background and Error Analysis

After upgrading Nginx to version 1.4.7 and PHP to version 5.5.12, the system encountered a 502 error. The error log indicates: connect() to unix:/var/run/php5-fpm.sock failed (13: Permission denied). This error signifies that the Nginx process was denied access by the permission system when attempting to connect to the PHP-FPM Unix socket.

Technical Principle Deep Dive

Unix sockets, as inter-process communication mechanisms, are governed by file system permission controls. PHP version 5.5.12 addressed a security vulnerability (Bug #67060) where socket file permissions were overly permissive, allowing read and write access by other users. Post-fix, the default permissions for socket files became more restrictive, potentially preventing previously configured Nginx users from accessing them.

Core Solution Implementation Steps

Based on the permission adjustments required after PHP security updates, here is the standard operational procedure to resolve permission issues:

Step 1: Modify PHP-FPM Pool Configuration

Open the PHP-FPM pool configuration file, typically located at /etc/php5/fpm/pool.d/www.conf or /etc/php/7.0/fpm/pool.d/www.conf (depending on the PHP version). Uncomment the following permission-related directives:

listen.owner = www-data
listen.group = www-data
listen.mode = 0660

Here, listen.owner and listen.group should be set to the same user and group as the Nginx runtime user, commonly www-data in Debian/Ubuntu systems. If the system uses a different user (e.g., nginx), adjust accordingly.

Step 2: Restart PHP-FPM Service

After modifying the configuration, restart the PHP-FPM service to apply the changes:

sudo service php5-fpm restart

Or for PHP 7.0 and above:

sudo service php7.0-fpm restart

Step 3: Verify Socket File Permissions

Post-restart, verify the socket file permissions using:

ls -l /var/run/php5-fpm.sock

The correct output should display:

srw-rw---- 1 www-data www-data 0 May  3 13:30 /var/run/php5-fpm.sock

Where srw-rw---- indicates a socket file with read and write permissions for the owner (www-data) and group (www-data), and no permissions for others.

Configuration Consistency Check and Validation

To ensure configuration consistency, verify that the fastcgi_pass directive in the Nginx configuration points to the correct socket path:

location ~ [^/]\.php(/|$) {
    fastcgi_split_path_info ^(.+?\.php)(/.*)$;
    fastcgi_pass unix:/var/run/php5-fpm.sock;
    fastcgi_index index.php;
    fastcgi_param SCRIPT_FILENAME /usr/home/user/public_html$fastcgi_script_name;
    include fastcgi_params;
}

Also, confirm that the Nginx runtime user matches the owner of the PHP-FPM socket. In nginx.conf:

user www www;

If users do not match, adjust listen.owner and listen.group in the PHP-FPM configuration or modify the Nginx runtime user.

System Service Coordination Mechanism Analysis

When Nginx and PHP-FPM communicate via Unix sockets, multiple system components work in coordination:

Process Permission Model: Nginx worker processes require permissions to access the socket file.
File System Permissions: The directory containing the socket file must allow access by the Nginx user.
Service Startup Order: PHP-FPM should start before Nginx to ensure the socket file exists.
SELinux/AppArmor: On some systems, access control policies from security modules must be considered.

Troubleshooting and Log Analysis

If the issue persists, conduct in-depth troubleshooting with:

# Check Nginx error log
sudo tail -f /var/log/nginx/error.log

# Check PHP-FPM error log
sudo tail -f /var/log/php5-fpm.log

# Check system permissions
namei -l /var/run/php5-fpm.sock

The namei command displays permissions for each component in the path, helping identify permission issues at directory levels.

Security Best Practices

While resolving permission issues, adhere to these security principles:

Apply the principle of least privilege, granting only necessary access permissions.
Regularly update software to incorporate security fixes.
Monitor system logs to detect abnormal access patterns.
Use dedicated system users for service execution in production environments.

Conclusion

Nginx connection to PHP-FPM socket permission errors often stem from security policy changes after service version updates. By correctly configuring PHP-FPM socket permission parameters, ensuring the Nginx user has appropriate access rights, and validating configuration consistency, such issues can be effectively resolved. Understanding Unix permission models and inter-service communication mechanisms is crucial for preventing and addressing similar faults.

Copyright Notice: All rights in this article are reserved by the operators of DevGex. Reasonable sharing and citation are welcome; any reproduction, excerpting, or re-publication without prior permission is prohibited.