How to run php-fpm as root

Question

I know the risks about running php-fpm as root. However there are situations where one would need to do it, like appliances, accessing operating system resources or even for testing purposes.

I have tried to change the user and group of php-fpm.d/www.conf to root when I restart the php-fpm process it raise an error:

Starting php-fpm: [26-Jun-2014 00:39:07] ERROR: [pool www] please specify user and group other than root
[26-Jun-2014 00:39:07] ERROR: FPM initialization failed
[FAILED]

What should I do. Anyone help?

Answer 1

By default, php-fpm is shipped with a "www.conf" that contains, among others, the default www-data user configuration:

[www]
user = www-data
group = www-data

So, you need to create another file, loaded after www.conf, that will overwrite that default config. For example, create a file docker.conf in the same path as your php-fpm's Dockerfile and containing the following:

[www]
user = root
group = root

Then, in your Dockerfile, inject that file in your container with a name that will be loaded after the default www.conf:

COPY ./docker.conf /usr/local/etc/php-fpm.d/zzz-docker.conf

Answer 2

These 3 steps will fix the error.

1. Locate php-fpm.service. For me it's /usr/lib/systemd/system/php-fpm.service. If you're not sure where it is, type find / -name php-fpm.service.
2. Append -R to the ExecStart variable. Eg ExecStart=/usr/sbin/php-fpm --nodaemonize -R.
3. Restart php-fpm. If systemctl restart php-fpm throws an error, run systemctl daemon-reload.

To anyone else wondering how to make php run as root, you also need to modify /etc/php-fpm.d/www.conf or modify a copy of it. Both user and group need to be changed to root. If you've made a copy of www.conf, you'll also need to modify this line listen = /run/php-fpm/www.sock.

Answer 3

Just adding -R (like this ans. suggests) to your command may not work. It depends how your running the command to start php-fpm.

If you're using service php-fpm restart and it's using /etc/init.d instead of systemctl (see here), then you'll have to add -R to the DAEMON_ARGS variable located in the /etc/php/<phpversion>/fpm/php-fpm.conf script. (This variable is used in the do_start() function. See here).

If it's using systemctl then you'll have to edit the script used by systemctl which should be located in /lib/systemd/system/<phpversion>-fpm.service. Append -R to the ExcecStart variable. Then run systemctl daemon-reload and systemctl start php<version>-fpm (See here)

I used the following questions/answers/resources to help me compile this solution.

1. https://serverfault.com/a/189961
2. https://serverfault.com/q/788669
3. https://stackoverflow.com/a/52919706/9530790
4. https://serverfault.com/a/867334
5. https://www.geeksforgeeks.org/what-is-init-d-in-linux-service-management/

Answer 4

Update 2018

Running it within a container is a possible valid reason to run php-fpm as root. It can be done by passing the -R command line argument to it

---

Original answer:

However there are situations where one would need to do it, like appliances, accessing operating system resources

You never need to do it. That's it. If you are managing system resources, grant permissions for the php-fpm user to that resources rather than running the whole process as root. If your question would be more specific I could show how to do that in a certain situation.

Answer 5

See:

# php-fpm --help
...
 -R, --allow-to-run-as-root
               Allow pool to run as root (disabled by default)