I'm trying to restart nginx from php
The problem is when I type the code from my command line everything work fine
but from my php
i got this as an output
* Restarting nginx nginx ...fail!
My php code is
echo shell_exec ("service nginx restart");
file permission 7777
nginx error log
2016/09/15 15:17:13 [emerg] 2872#0: open() "/run/nginx.pid" failed (13: Permission denied)
2016/09/15 15:30:30 [warn] 2997#0: the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /etc/nginx/nginx.conf:1
2016/09/15 15:30:30 [emerg] 2997#0: open() "/run/nginx.pid" failed (13: Permission denied)
I solved the problem by adding this command inside sudo users
what i did is
1-visudo
2-go to the last line and add this
www-data ALL = NOPASSWD: /etc/init.d/nginx reload
and the problem is fixed
Related
After running systemctl unmask php8.0-fpm to be able to restart the php8.0-fpm my website start responding with a 502 code, the unmask command returned this output:
Removed /etc/systemd/system/php8.0-fpm.service.
I got this on my logs *16 connect() to unix:/var/run/php/php8.0-fpm.sock failed (2: No such file or directory) while connecting to upstream.
I think my server was configured like suggested in this website https://ispire.me/running-php-fpm-with-different-user-group-using-umask/, but right now i dont have the php8.0-fpm.service on the /lib or the /etc since the unmask command removed this file.
Even though permissions look fine within the container:
drwxrwxr-x 12 www-data www-data 4096 Dec 5 16:04 app
I'm getting a permission denied error when Apache is trying to write anything into that directory.
FYI: /app is mounted from the host machine like this:
/var/www/myApp:/app
Error is
\Exception\ErrorException: file_put_contents(/app/docker.log): failed to open stream: Permission denied in /app/src/Business/ExpediteGround/LHRates/Fetch.php:13
Found the issue everyone, Apache user was just fine (www-data) but I'm using fpm inside the container to compile the php code and it was running with a different user so that was the cause; switched the pool to run as www-data as I'm used to and it worked!
My website is running on nginx + php-fpm and running well but while uploading file it shows blank page.My log file shows
2016/06/08 14:44:40 [error] 22063#22063: *25 FastCGI sent in stderr: "PHP message: PHP Warning: file_put_contents(up/propic/medium/5961465411480.jpg): failed to open stream: Permission denied in /var/www/example.com/saveimg.php on line 32" while reading response header from upstream, client:...
I tried most of answers from stackoverflow , even I changed the /var/www folder permissions to 777 but the results are same.
Few details about my server
/etc/php-fpm.d
user=nginx
group=nginx
ownership and group of /var/www/sites
drwxrwxrwx. 29 ec2-user root 4096 Jun 8 14:39 site1.com
After searching , I found it.It's all deals with SELINUX which is a security feature.
when using ls -Z
drwxrwxrwx. ec2-user root system_u:object_r:httpd_sys_content_t:s0 www
change this to
drwxrwxrwx. ec2-user root system_u:object_r:httpd_sys_rw_content_t:s0 www
using cmd
chcon -R -t httpd_sys_rw_content_t /var/www
You also need to check permissions and ownership of every folder on the way from
/var/www/sites/
to
/var/www/sites/site1.com/up/propic/medium
The user and group defined in your pool.d configuration require access rights to your nginx root location. This can be done by changing the user and group in your pool.d configuration to the same user and group that own your nginx root location or by adding the pool.d user to the group that owns your nginx root location. You can do that like this:
usermod -a -G groupName userName
# nginx error.log echo:
2019/10/12 11:11:02 [error] 3871#0: *1 FastCGI sent in stderr: "PHP message: PHP Warning: Unknown: failed to open stream: Permission denied in Unknown on line 0
Unable to open primary script: /www/test.php (Permission denied)" while reading response header from upstream, client: 192.168.1.9, server: _, request: "GET /test.php HTTP/1.1", upstream: "fastcgi://unix:/run/php-fpm/www.sock:", host: "192.168.1.180"
In Centos System, After searching , I found it.It's all deals with SELINUX which is a security feature. when using ls -alZ
drwxrwxrwx. ec2-user root system_u:object_r:httpd_sys_content_t:s0 www
# change this to
drwxrwxrwx. ec2-user root system_u:object_r:httpd_sys_rw_content_t:s0 www
# using cmd
chcon -R -t httpd_sys_rw_content_t /www
When I want to restart the httpd searvice on centOS 6.7 I have the following error:
/etc/init.d/httpd restart
Stopping httpd: [FAILED]
Starting httpd: (13)Permission denied: httpd: could not open error log file /etc/httpd/logs/error_log.
Unable to open logs
[FAILED]
This is error_log:
ls -Z /etc/httpd/logs/error_log
-rw-r--r--. root root unconfined_u:object_r:var_t:s0 /etc/httpd/logs/error_log
I disabled selinux also.
What is the problem?
httpd probably runs as user apache or user httpd. Your log is owned and only writable by root. Change ownership of your log file to make this work.
This should do the trick:
~# chown apache:apache /etc/httpd/logs/error_log
Probably you should change the group of that forder to apache, it's not recommended to have root as owner of server stuff. Anyway apache should change that on his own after http starts...
From httpd Wiki:
Before we start, we need to be aware that the Apache HTTP server
(httpd) runs as a particular user and group.
On Linux as well as most other Unix-like systems, httpd is started as
the "root" user; UID=root, GID=root. This is necessary because only
this user can bind to port 80 and 443 (anything below 1024 in fact).
After http starts and binds to its ports (defined by the Listen
statments in httpd.conf), it changes user to that specified in
httpd.conf. Typically:
User: apache
Group: apache
Note that Debian based systems, including
Ubuntu, use "www-data" instead.
As a possible solution you should add yourself into the group apache
usermod -a -G apache (username)
Then:
chgrp apache (folderPath)
chmod g+rwxs (folderPath)
Anyway that's weird... tell me if this solved your issue, if it didn't I will edit it as long as you provide me further information :)
In my case i have done below actions post that able to start the httpd service without any error.
Error:
# sudo tail -f /etc/httpd/logs/error_log
Sep 27 09:09:19 MASTERREPOWEB systemd[1]: Starting The Apache HTTP Server...
Sep 27 09:09:20 MASTERREPOWEB httpd[33693]: (13)Permission denied: AH00091: httpd: could not open error log file /etc/httpd/logs/error_log.
Sep 27 09:09:20 MASTERREPOWEB httpd[33693]: AH00015: Unable to open logs
Sep 27 09:09:20 MASTERREPOWEB systemd[1]: httpd.service: Main process exited, code=exited, status=1/FAILURE
Solution:
ls -lZ /etc/httpd/logs/error_log
sudo chcon -Rv system_u:object_r:httpd_log_t:s0 /etc/httpd/logs/
sudo systemctl restart httpd
sudo systemctl status httpd
In CentOS 7
Try disabling SElinux and then reboot then
systemctl restart httpd
Note: never leave SElinux disabled. If the problem is solved then enable(enforce) it and then enable httpd in SElinux
https://www.serverlab.ca/tutorials/linux/web-servers-linux/configuring-selinux-policies-for-apache-web-servers/
If you are on RedHat/Fedora/CentOS/RockyLinux then try to execute the following command (14:00 is your time since the error happened):
journalctl -t setroubleshoot --since=14:00
You could see the following errors:
Jun 25 14:21:33 fedora setroubleshoot[1609]: SELinux is preventing httpd from open access on the file /var/log/gitea/error_log. For complete SELinux messages run: sealert -l 5e2bf467-e935-4fa7-a7fd-d0f7f257828e
Jun 25 14:21:33 fedora setroubleshoot[1609]: SELinux is preventing httpd from open access on the file /var/log/gitea/error_log.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that httpd should be allowed open access on the error_log file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'httpd' --raw | audit2allow -M my-httpd
# semodule -X 300 -i my-httpd.pp
It means the lack of permissions is not related to chmod, but rather to SELinux.
In order to fix the issue you need to execute the following command (please adjust the log directory accordinly):
semanage fcontext -a -t httpd_sys_rw_content_t '/var/log/gitea(/.*)?'
restorecon -Rv '/var/log/gitea/'
systemctl restart httpd
The error should disappear. And please never switch off the SELinux permanently (as someone might suggest) because your server could be compromised.
Just run it as super user:
service httpd start
Starting httpd: (13)Permission denied: httpd: could not open error log file /etc/httpd/logs/error_log.
Unable to open logs [FAILED]
sudo service httpd start
Starting httpd: [ OK ]
My environment:
CentOS 6.6
Nginx 1.7.10 with mod_security, naxsi, ngx_pagespeed modules
PHP 5.6.5
Mariadb 10.0.16
SeLinux close
setenforce 0
My test code:
<?php
/*
** Connect to database:
*/
// connect to the database
$con = mysql_connect('localhost','root','my pass')
or die('Could not connect to the server! ' . mysql_error());
var_dump($con);
exit;
That's it.
And when I use firefox to run this script
The result is "Could not connect to the server! Permission denied"
The nginx error.log is
2015/02/18 23:26:33 [error] 1532#0: *68 FastCGI sent in stderr: "PHP message: PHP Warning: mysql_connect(): Permission denied in /var/www/nginx/aa.php on line 9" while reading response header from upstream, client: client ip, server: localhost, request: "GET /test-sql-injection.php HTTP/1.1", upstream: "fastcgi://unix:/var/run/php-fpm.sock:", host: "server ip"
But when I use command line to run this script
php aa.php
The result is
resource(5) of type (mysql link)
It is success to connect to maria db...
The mysql.sock file permission is
In /tmp
lrwxrwxrwx. 1 mysql mysql 25 2015-02-18 21:20 mysql.sock -> /var/lib/mysql/mysql.sock
In /var/lib/mysql
srwxrwxrwx. 1 mysql mysql 0 2015-02-18 23:03 mysql.sock
all command is run as root
and when I use another user to run php command
still get Permission denied error message!
which file's permission wrong?
======
/var/lib/mysql dir permission is 700
so it cause permission denied problem....
php-cgi and php-cli are not using the same php.ini file.
Compare both file, maybe you have a difference
Check full path to socket file.
every directory in the path to socket must have eXecute permission for webserver user.
e.g. /var/ or /var/lib/ or /var/lib/mysql/ could have chmod 700 when it must have chmod 711.
Note that making more permissive chmod could lead to security issues. I suggest you moving mysql.sock into world-accessible-by-default directory such as /tmp