0

Nginx runs under user www-data. For php5-fpm pool, I have two websites namely, website1 and website2 with the following configuration in /etc/php5/fpm/pool.d/:

website1 config in fpm pool

 user = website1
 group = website1
 listen = /var/run/php5-fpm-website1.sock
 listen.owner = website1
 listen.group = website1
 listen.mode = 0666

website2 config in fpm pool

 user = website2
 group = website2
 listen = /var/run/php5-fpm-website2.sock
 listen.owner = website2
 listen.group = website2
 listen.mode = 0666

The above configuration works fine as it creates the Unix Socket files with 666 permission. But, ideally I want to change listen.mode to 0660 to create the same permission for my socket.

My problem is, if I change listen.mode to 0660 and then restart nginx/php5-fpm, I get 502 Bad Gateway due to permission issue.

EDIT

I have gone through similar question before in SO (including the one referred by @Mario, however, I am more looking for a solution with configuration suitable for multiple websites (server blocks) keeping their individual security intact...

hashbrown
  • 3,438
  • 1
  • 19
  • 37
  • `listen.owner = website1` needs to be the user id your `nginx` webserver process runs with. Only `owner=` and `group=` pertain the the FPMs uid. – mario Jun 25 '14 at 04:09
  • @Mario Sorry.. can you expand the comment little more? Should I assign `listen.owner` and `listen.group` both to `nginx` userid and group? – hashbrown Jun 25 '14 at 04:16
  • Yes, set them to `www-data`. – mario Jun 25 '14 at 04:17
  • @Mario But if all the sockets are under same user, doesn't it mean then that `website1` can redirect its request to `website2` socket and vice-versa and possibly breach security in some way? – hashbrown Jun 25 '14 at 04:20
  • Depends on your `nginx` configuration. Neither uid `website1` not `website2` however will have access to the FPM socket when it's owned by `www-data`, so can't initiate a local FCGI process on behalf of the other account. If you wanna separate the sockets, you'd need two distinct `nginx` processes (which was only necessary when both accounts can run arbitrary CGI scripts under `www-data`). – mario Jun 25 '14 at 04:24

0 Answers0