Jesin's Blog

Welcome to the Portal of Technology

  • Facebook
  • GitHub
  • RSS
  • Twitter
  • Home
  • Categories
    • Domains
    • Linux
    • Networking
    • PHP
    • Virtualization
    • Web Design
    • Web Servers
    • Windows
  • WordPress Plugins
    • Custom Error Pages
    • HTTP Digest Authentication
    • Mailgun Email Validator
  • Toolbox
    • DNS Lookup Tool
    • htdigest Generator Tool Online
    • htpasswd Generator Tool Online
    • HTTP Headers Lookup Tool
    • MD5 Encryption Tool
    • Open Port Check Tool
    • SHA-1 Encryption Tool
    • URL Encoding/Decoding Tool
  • About Me
  • Contact Me
  • Sitemap
Home ›
Web Servers ›
How to fix connect() to php5-fpm.sock failed (13: Permission denied) while connecting to upstream Nginx error

How to fix connect() to php5-fpm.sock failed (13: Permission denied) while connecting to upstream Nginx error

October 11, 2014 Web Servers Jesin A 2 Comments

nginx php5 fpm socket permission denied thumbnail

I encountered this problem after updating PHP to 5.5.12. I use Nginx with PHP5 FPM and after the updating PHP I was seeing 502 Gateway Error pages. Nginx’s error log file (/var/log/nginx/error.log) had the following in it:

2014/05/08 06:22:24 [crit] 24538#0: *292759 connect() to unix:/var/run/php5-fpm.sock failed (13: Permission denied) while connecting to upstream, client: 1.1.1.1, server: websistent.com, request: "GET /wordpress-custom-403-401-error-page/ HTTP/1.1", upstream: "fastcgi://unix:/var/run/php5-fpm.sock:", host: "websistent.com"

It was clear that Nginx couldn’t access PHP FPM’s socket file due to insufficient permissions. But everything was working fine till I updated PHP so something had changed in version 5.5.12. The changelog for this version has the following information under the FPM section:

Fixed bug #67060 (possible privilege escalation due to insecure default configuration). (CVE-2014-0185).

The default value of the listen.mode was 0666 prior 5.5.12. To fix the CVE-2014-0185 vulnerability this was changed to 0660. This is evident from the permissions:

$ ls -l /var/run/php5-fpm.sock
srw-rw---- 1 root root 0 May 1 19:40 /var/run/php5-fpm.sock

Notice the first column of the output srw-rw----, it means users/groups other than root do not have any permissions on this file.

We have two options now:

  1. Explicitly set the “listen.mode” to 0666 which make it insecure, or
  2. Change the owner and group of the socket file so that Nginx can read/write to it.

Option 2 is highly recommended, find out username used by the Nginx worker processes:

grep 'user' /etc/nginx/nginx.conf

The most common ones are either www-data or nginx. Edit PHP FPM pool configuration file:

/etc/php5/fpm/pool.d/www.conf

Find the following lines:

;listen.owner = www-data
;listen.group = www-data

Remove the semicolon “;” before these lines. It is highly unlikely that these lines aren’t present in which case you can add them WITHOUT a semicolon at the beginning.

If you have multiple pools with different listen.owners and listen.groups make sure the Nginx user (for example www-data) is a member of the listen.group secondary group. So if a FPM pool is owned by bob:

listen.owner = bob
listen.group = bob

Add the user www-data as a member of secondary group bob

usermod -G bob www-data

Restart the PHP FPM daemon

service php5-fpm restart

Check if the ownership of the socket file has changed

$ ls -l /var/run/php5-fpm.sock
srw-rw---- 1 www-data www-data 0 May 1 22:13 /var/run/php5-fpm.sock

PHP pages will load now without any problems.

Related posts:

Default ThumbnailFix the client intended to send too large body nginx error linux category thumbnailFix serial port permission denied errors on Linux linux category thumbnailLinux ACL Tutorial connect php with mysql thumbnailConnect PHP with MySQL Default ThumbnailHow to create custom error page in Apache

Tags: nginx, nginx errors

Comments

  1. Guicara says

    July 18, 2015 at 6:27 pm

    That’s perfect, thank you!

    Reply
  2. Nenad Kostic says

    September 2, 2015 at 12:52 pm

    Exactly what I was searching ! Excellent post!

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Get a wealth of information delivered to your inbox. Subscribe and never miss a single article.

  • Tutorials and howtos
  • Code, scripts and commands
  • Online Tools

* No spam, unsubscribe anytime

Hire Me

  • SSL installation and hardening (A+ on Qualys SSL test)
  • Apache & Nginx configuration
  • Email deliverability improvement (10/10 on Mail Tester & MailGenius)
  • WordPress customization, optimization and migration
  • and much more…

    Tools

    • DNS Lookup Tool
    • htdigest Generator Tool Online
    • htpasswd Generator Tool Online
    • HTTP Headers Lookup Tool
    • MD5 Encryption Tool
    • Open Port Check Tool
    • SHA-1 Encryption Tool
    • URL Encoding/Decoding Tool

    Nav

    • Home
    • About Me
    • Contact Me
    • Privacy Policy
    • Sitemap
    Vultr SSD VPS

    Creative Commons License
    Jesin's Blog by Jesin A is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
    Based on a work at websistent.com.