If you have a Ubuntu web server (running Ubuntu 14.04 LTS, 13.10, 12.04 LTS, or 10.04 LTS) set up using PHP FPM with Unix sockets, be warned that a recent security patch that fixes an issue with the PHP FPM socket permissions, may also break existing configurations, preventing your website from load php files.
After this patch gets installed, you may find your unix socket now no longer accepts connections from your web server user, and you will see an error 13 ‘permission denied’ in your web server logs. This is due to the new version changing the permissions on the socket (/var/run/php5-fpm.sock or similar).
More information on the patch in question can be found on the following Ubuntu Security Notice page:
http://www.ubuntu.com/usn/usn-2254-1/
To check which user your web server software is running as, you can run the following command:
ps auxw
Look for your web server software in the list, such as ‘nginx’. The username should be in the first column of the output.
To confirm this is your issue, the message in your log file may look something like this:
Nginx Log File Example:
2014/06/28 15:55:49 [crit] 23304#0: *163616 connect() to unix:/var/run/php5-fpm.sock failed (13: Permission denied) while connecting to upstream, client: xx.xx.xx.xx, server: websiteurl, request: "GET /file.php HTTP/1.0", upstream: "fastcgi://unix:/var/run/php5-fpm.sock:", host: "websiteurl", referrer: "http://websiteurl/" 2014/06/28 15:56:03 [crit] 23304#0: *163618 connect() to unix:/var/run/php5-fpm.sock failed (13: Permission denied) while connecting to upstream, client: xx.xx.xx.xx, server: websiteurl, request: "GET /file.php HTTP/1.0", upstream: "fastcgi://unix:/var/run/php5-fpm.sock:", host: "websiteurl", referrer: "http://websiteurl/" 2014/06/28 15:56:18 [crit] 23304#0: *163620 connect() to unix:/var/run/php5-fpm.sock failed (13: Permission denied) while connecting to upstream, client: xx.xx.xx.xx, server: websiteurl, request: "GET /file.php HTTP/1.0", upstream: "fastcgi://unix:/var/run/php5-fpm.sock:", host: "websiteurl", referrer: "http://websiteurl/"
To fix this, a configuration change needs to occur in the relevant php5 fpm config file on your system.
Check the /etc/php5/fpm/pool.d/ folder for *.conf files.
Edit the relevant one for your system, and locate the lines containing:
;listen.owner = www-data ;listen.group = www-data ;listen.mode = 0666
Un-comment all 3 lines, and set the owner and group to match the owner and group that your webserver runs as (if different to www-data).
Also, set the mode option to 0660 so not everyone can connect to the PHP5 FPM socket (important in a shared hosting environment).
It should now look something like this:
listen.owner = www-data listen.group = www-data listen.mode = 0660
Save the file, exit the editor, and restart PHP5 FPM
sudo service php5-fpm restart
THe socket file should now have the correct permissions set, for the web server software to connect to the PHP5 FPM socket.
This can be checked using the following command
$ ls -al /var/run/*.sock srw-rw---- 1 www-data www-data 0 Jun 30 16:03 /var/run/php5-fpm.sock=
Test your website (ensure you go to a php page), and confirm everything is working again.