deepakdargade · October 3, 2015 07:36
diff --git a/wordpress php permission issue b/wordpress php permission issue
 http://websistent.com/fix-connect-to-php5-fpm-sock-failed-13-permission-denied-while-connecting-to-upstream-nginx-error/




 How to fix connect() to php5-fpm.sock failed (13: Permission denied) while connecting to upstream Nginx error
 October 11, 2014 Web Servers Jesin A 2 Comments

 nginx php5 fpm socket permission denied thumbnail


 I encountered this problem after updating PHP to 5.5.12. I use Nginx with PHP5 FPM and after the updating PHP I was seeing 502 Gateway Error pages. Nginx’s error log file (/var/log/nginx/error.log) had the following in it:

 2014/05/08 06:22:24 [crit] 24538#0: *292759 connect() to unix:/var/run/php5-fpm.sock failed (13: Permission denied) while connecting to upstream, client: 1.1.1.1, server: websistent.com, request: "GET /wordpress-custom-403-401-error-page/ HTTP/1.1", upstream: "fastcgi://unix:/var/run/php5-fpm.sock:", host: "websistent.com"
 It was clear that Nginx couldn’t access PHP FPM’s socket file due to insufficient permissions. But everything was working fine till I updated PHP so something had changed in version 5.5.12. The changelog for this version has the following information under the FPM section:

 Fixed bug #67060 (possible privilege escalation due to insecure default configuration). (CVE-2014-0185).

 The default value of the listen.mode was 0666 prior 5.5.12. To fix the CVE-2014-0185 vulnerability this was changed to 0660. This is evident from the permissions:

 $ ls -l /var/run/php5-fpm.sock
 srw-rw---- 1 root root 0 May 1 19:40 /var/run/php5-fpm.sock
 Notice the first column of the output srw-rw----, it means users/groups other than root do not have any permissions on this file.

 We have two options now:

 Explicitly set the “listen.mode” to 0666 which make it insecure, or
 Change the owner and group of the socket file so that Nginx can read/write to it.
 Option 2 is highly recommended, find out username used by the Nginx worker processes:

 grep 'user' /etc/nginx/nginx.conf
 The most common ones are either www-data or nginx. Edit PHP FPM pool configuration file:

 /etc/php5/fpm/pool.d/www.conf

 Find the following lines:

 ;listen.owner = www-data
 ;listen.group = www-data
 Remove the semicolon “;” before these lines. It is highly unlikely that these lines aren’t present in which case you can add them WITHOUT a semicolon at the beginning.

 If you have multiple pools with different listen.owners and listen.groups make sure the Nginx user (for example www-data) is a member of the listen.group secondary group. So if a FPM pool is owned by bob:

 listen.owner = bob
 listen.group = bob
 Add the user www-data as a member of secondary group bob

 usermod -G bob www-data
 Restart the PHP FPM daemon

 service php5-fpm restart
 Check if the ownership of the socket file has changed

 $ ls -l /var/run/php5-fpm.sock
 srw-rw---- 1 www-data www-data 0 May 1 22:13 /var/run/php5-fpm.sock
 PHP pages will load now without any problems.
	http://websistent.com/fix-connect-to-php5-fpm-sock-failed-13-permission-denied-while-connecting-to-upstream-nginx-error/




	How to fix connect() to php5-fpm.sock failed (13: Permission denied) while connecting to upstream Nginx error
	October 11, 2014 Web Servers Jesin A 2 Comments

	nginx php5 fpm socket permission denied thumbnail


	I encountered this problem after updating PHP to 5.5.12. I use Nginx with PHP5 FPM and after the updating PHP I was seeing 502 Gateway Error pages. Nginx’s error log file (/var/log/nginx/error.log) had the following in it:

	2014/05/08 06:22:24 [crit] 24538#0: *292759 connect() to unix:/var/run/php5-fpm.sock failed (13: Permission denied) while connecting to upstream, client: 1.1.1.1, server: websistent.com, request: "GET /wordpress-custom-403-401-error-page/ HTTP/1.1", upstream: "fastcgi://unix:/var/run/php5-fpm.sock:", host: "websistent.com"
	It was clear that Nginx couldn’t access PHP FPM’s socket file due to insufficient permissions. But everything was working fine till I updated PHP so something had changed in version 5.5.12. The changelog for this version has the following information under the FPM section:

	Fixed bug #67060 (possible privilege escalation due to insecure default configuration). (CVE-2014-0185).

	The default value of the listen.mode was 0666 prior 5.5.12. To fix the CVE-2014-0185 vulnerability this was changed to 0660. This is evident from the permissions:

	$ ls -l /var/run/php5-fpm.sock
	srw-rw---- 1 root root 0 May 1 19:40 /var/run/php5-fpm.sock
	Notice the first column of the output srw-rw----, it means users/groups other than root do not have any permissions on this file.

	We have two options now:

	Explicitly set the “listen.mode” to 0666 which make it insecure, or
	Change the owner and group of the socket file so that Nginx can read/write to it.
	Option 2 is highly recommended, find out username used by the Nginx worker processes:

	grep 'user' /etc/nginx/nginx.conf
	The most common ones are either www-data or nginx. Edit PHP FPM pool configuration file:

	/etc/php5/fpm/pool.d/www.conf

	Find the following lines:

	;listen.owner = www-data
	;listen.group = www-data
	Remove the semicolon “;” before these lines. It is highly unlikely that these lines aren’t present in which case you can add them WITHOUT a semicolon at the beginning.

	If you have multiple pools with different listen.owners and listen.groups make sure the Nginx user (for example www-data) is a member of the listen.group secondary group. So if a FPM pool is owned by bob:

	listen.owner = bob
	listen.group = bob
	Add the user www-data as a member of secondary group bob

	usermod -G bob www-data
	Restart the PHP FPM daemon

	service php5-fpm restart
	Check if the ownership of the socket file has changed

	$ ls -l /var/run/php5-fpm.sock
	srw-rw---- 1 www-data www-data 0 May 1 22:13 /var/run/php5-fpm.sock
	PHP pages will load now without any problems.