I encountered this problem after updating PHP to 5.5.12. I use Nginx with PHP5 FPM and after the updating PHP I was seeing 502 Gateway Error pages. Nginx’s error log file (
/var/log/nginx/error.log) had the following in it:
2014/05/08 06:22:24 [crit] 24538#0: *292759 connect() to unix:/var/run/php5-fpm.sock failed (13: Permission denied) while connecting to upstream, client: 184.108.40.206, server: websistent.com, request: "GET /wordpress-custom-403-401-error-page/ HTTP/1.1", upstream: "fastcgi://unix:/var/run/php5-fpm.sock:", host: "websistent.com"
It was clear that Nginx couldn’t access PHP FPM’s socket file due to insufficient permissions. But everything was working fine till I updated PHP so something had changed in version 5.5.12. The changelog for this version has the following information under the FPM section:
Fixed bug #67060 (possible privilege escalation due to insecure default configuration). (CVE-2014-0185).
The default value of the
0666 prior 5.5.12. To fix the CVE-2014-0185 vulnerability this was changed to
0660. This is evident from the permissions:
$ ls -l /var/run/php5-fpm.sock srw-rw---- 1 root root 0 May 1 19:40 /var/run/php5-fpm.sock
Notice the first column of the output
srw-rw----, it means users/groups other than root do not have any permissions on this file.
We have two options now:
- Explicitly set the “listen.mode” to 0666 which make it insecure, or
- Change the owner and group of the socket file so that Nginx can read/write to it.
Option 2 is highly recommended, find out username used by the Nginx worker processes:
grep 'user' /etc/nginx/nginx.conf
The most common ones are either
nginx. Edit PHP FPM pool configuration file:
Find the following lines:
;listen.owner = www-data ;listen.group = www-data
Remove the semicolon “;” before these lines. It is highly unlikely that these lines aren’t present in which case you can add them WITHOUT a semicolon at the beginning.
If you have multiple pools with different
listen.groups make sure the Nginx user (for example
www-data) is a member of the
listen.group secondary group. So if a FPM pool is owned by bob:
listen.owner = bob listen.group = bob
Add the user
www-data as a member of secondary group bob
usermod -G bob www-data
Restart the PHP FPM daemon
service php5-fpm restart
Check if the ownership of the socket file has changed
$ ls -l /var/run/php5-fpm.sock srw-rw---- 1 www-data www-data 0 May 1 22:13 /var/run/php5-fpm.sock
PHP pages will load now without any problems.
That’s perfect, thank you!
Nenad Kostic says
Exactly what I was searching ! Excellent post!