nginx php fastcgi unable to write , permission denied even using his own permission

Question

Hi' i have permission denied when using write to text function like file_put_contents. i'm using nginx inside centos 6 environment, i use php-fcgi

the problem ONLY solved by set the dir permission to 777, but i dont want that solution.

here's the php code

<?php
    error_reporting(E_ALL);
    header("content-type:text/plain");
    if(isset($_GET['akarapaci'])) {phpinfo();}
    echo getcwd();
    echo "\nscript owner : ".get_current_user()."\n";
    echo "\nscript getmyuid : ".getmyuid()."\n";
    echo "\nscript getmygid : ".getmygid()."\n";

    file_put_contents(dirname(__FILE__)."/X","1");
?>

here's the result :

/var/www/html
script owner : nginx

script getmyuid : 496

script getmygid : 493

the code is just simple write to file /var/www/html/X (the file not created yet), and have error like this

2012/10/27 19:51:59 [error] 1010#0: *32 FastCGI sent in stderr: "PHP Warning:  file_put_contents(/var/www/html/X): failed to open stream: Permission denied in /var/www/html/info.php on line 10" while reading response header from upstream, client: 111.94.49.72, server: vprzl.com, request: "GET /info.php HTTP/1.1", upstream: "fastcgi://127.0.0.1:9000", host: "vprzl.com"

and here's the list of dir inside /var/www/

total 40
drwxr-xr-x 2 root  root   4096 Oct 27 08:44 backup
drwxr-xr-x 2 root  root   4096 Feb 14  2012 cgi-bin
drwxrwxrwx 3 root  root  12288 Oct 27 08:47 devel
drwxr-xr-x 3 root  root   4096 Oct 20 04:48 error
drwxrwxr-x 2 nginx nginx  4096 Oct 27 19:24 html
drwxr-xr-x 3 root  root   4096 Oct 17 18:19 icons
drwxr-xr-x 5 root  root   4096 Oct 27 16:57 images
drwxr-xr-x 2 root  root   4096 Oct 26 14:28 secret

and here's my nginx.conf

user  nginx;
worker_processes  1;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout  65;

    #gzip  on;


    server {
      listen          80;
      server_name     vprzl.com www.vprzl.com;
      index           index.html;
      root            /var/www/html/;

      location / { 
          # Rewrite rules and other criterias can go here
          # Remember to avoid using if() where possible (http://wiki.nginx.org/IfIsEvil)
          index  index.html index.htm;
      }

      location ~ \.php$ {
          include fastcgi_params;
          fastcgi_pass 127.0.0.1:9000;
          fastcgi_index index.php;
          fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
      }
    }

    server {
      listen          80;
      server_name     images.vprzl.com;
      index           index.html;
      root            /var/www/images/;

      location / { 
          # Rewrite rules and other criterias can go here
          # Remember to avoid using if() where possible (http://wiki.nginx.org/IfIsEvil)
          index  index.html index.htm;
      }
    }

    server {
      listen          80;
      server_name     secret.vprzl.com;
      index           index.html;
      root            /var/www/secret/;

      location / { 
          index  index.html index.htm;
      }
    }
}

Answer 1

You must grant access your web folder to nginx:nginx (chown nginx:nginx) or whatever user who you started nginx service. Then restart the services web. More info enter link description here Greetings

Answer 2

PLease do not disable you SELinux. here are the steps you need to take carefully to overcome this problem: first of all selinux is the central security of your system. and it handles all read and write to files.

1) all folder in /var/www must have permission 755.

you can do this by : find "folder" -type d -exec chmod 755 {} \;

2) all files must have permission 644 :

find "folder" -type f -exec chmod 644 {} \;

3) the specific folder you need to write or create file must have 0777 permission.

chmod 0777 "folder"

4) then tell SELinux to allow write in that specific dir or for a specific file:

chcon -t httpd_sys_rw_content_t test.txt

Neither set all your folders permission to 777 not disable your Selinux.

Answer 3

(i) if you have set user:group to nginx and the permissions are 0755 then you are ok (ii) if you still have permission denied, then check selinux. i.e

$sudo setenforce 0

(iii) With selinux disabled, check if you are now able to write.

Answer 4

found the culprit! (of my own answer) i just have to change a line in the file /etc/init.d/php-fcgi

from

PHPUSER=php

to

PHPUSER=nginx

and then restart