When PHP-FPM throws a "Permission denied" error while trying to access temporary files or sockets, it typically indicates a mismatch between the permissions configured for Nginx and PHP-FPM processes. In this specific case, the error occurs when Nginx attempts to write to /var/lib/nginx/tmp/fastcgi while communicating with PHP-FPM through a Unix socket.
2013/04/20 23:33:28 [crit] 15479#0: *6 open() "/var/lib/nginx/tmp/fastcgi/2/00/0000000002"
failed (13: Permission denied) while reading upstream, client: 99.999.999.999,
server: example.net, request: "GET /wp-admin/ HTTP/1.1",
upstream: "fastcgi://unix:/tmp/php-fpm.sock:", host: "example.net"
Several critical components need proper permission settings:
- The temporary directory for Nginx (
/var/lib/nginx/tmp) - The PHP-FPM socket file (
/tmp/php-fpm.sock) - The user/group configuration in both Nginx and PHP-FPM
Here's how to properly configure all components:
1. Directory and Socket Permissions
First, ensure the temporary directory exists and has correct permissions:
sudo mkdir -p /var/lib/nginx/tmp
sudo chown -R ec2-user:ec2-user /var/lib/nginx/tmp
sudo chmod -R 755 /var/lib/nginx/tmp
For the PHP-FPM socket location:
sudo chown ec2-user:ec2-user /tmp/php-fpm.sock
sudo chmod 755 /tmp/php-fpm.sock
2. Nginx Configuration
Ensure your nginx.conf specifies the correct user:
user ec2-user ec2-user;
worker_processes auto;
pid /run/nginx.pid;
events {
worker_connections 1024;
}
http {
# Other http configurations...
fastcgi_temp_path /var/lib/nginx/tmp/fastcgi_temp;
fastcgi_cache_path /var/lib/nginx/tmp/fastcgi_cache levels=1:2 keys_zone=PHPCACHE:100m inactive=60m;
}
3. PHP-FPM Configuration
The php-fpm.conf should match nginx's user:
[www]
user = ec2-user
group = ec2-user
listen = /tmp/php-fpm.sock
listen.owner = ec2-user
listen.group = ec2-user
listen.mode = 0660
On systems with SELinux enabled, you may need additional steps:
# Check SELinux status
sestatus
# If enabled, set proper context
sudo chcon -R -t httpd_tmpfs_t /var/lib/nginx/tmp
sudo chcon -R -t httpd_sys_rw_content_t /tmp/php-fpm.sock
After making changes, verify with these commands:
sudo nginx -t
sudo systemctl restart nginx
sudo systemctl restart php-fpm
# Check process ownership
ps aux | grep -E 'nginx|php-fpm'
Proper output should show ec2-user as the process owner for both services.
I recently encountered a stubborn 403 Forbidden error in my Nginx+PHP-FPM setup that resisted all standard permission fixes. The error manifested when trying to access WordPress admin:
2013/04/20 23:33:28 [crit] 15479#0: *6 open() "/var/lib/nginx/tmp/fastcgi/2/00/0000000002" failed (13: Permission denied)
Despite setting all permissions correctly (even extreme 777 tests), the error persisted. Here's what I verified:
# Verify process ownership
ps aux | grep -E 'nginx|php-fpm'
# Check directory permissions
ls -la /var/lib/nginx/tmp
ls -la /tmp/php-fpm.sock
The breakthrough came when checking SELinux context:
# Check SELinux status
sestatus
# View security context
ls -Z /var/lib/nginx
# Temporary solution (not recommended)
setenforce 0
Instead of disabling SELinux completely, we should adjust policies:
# Install SELinux tools
yum install policycoreutils-python
# Set proper context
semanage fcontext -a -t httpd_tmp_t "/var/lib/nginx/tmp(/.*)?"
restorecon -Rv /var/lib/nginx/tmp
The complete working configuration for Nginx:
user nginx;
worker_processes auto;
events {
worker_connections 1024;
}
http {
fastcgi_temp_path /var/lib/nginx/tmp/fastcgi_temp;
# ... other http config ...
server {
location ~ \.php$ {
fastcgi_pass unix:/tmp/php-fpm.sock;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
}
}
And for PHP-FPM:
[www]
user = nginx
group = nginx
listen.owner = nginx
listen.group = nginx
listen.mode = 0660
After implementing these changes:
# Check socket permissions
ls -la /tmp/php-fpm.sock
# Test SELinux context
ls -Z /var/lib/nginx/tmp
# Verify in logs
tail -f /var/log/nginx/error.log