nginx open() "directory/to/project" failed (13: Permission denied)

todesengel · 2021-09-14 07:23:03

I am using the default config with Nginx installed on my machine. I just added some simple configurations down below.

nginx.conf:

user http;
worker_processes auto;
worker_cpu_affinity auto;

.....

http{
.....
    server {
        listen       9000;
        server_name  localhost;
        root   /usr/share/nginx/html/exam;
    
        location / {
            index  index.php index.html index.htm;
            autoindex on;
            autoindex_exact_size off;
            autoindex_localtime on;
        
        
            if (!-e $request_filename){
                rewrite ^/(.+)$ /index.php?url=$1 break;
            }
        }
    
        location /. {
            return 404;
        }

        location ~ \.php$ {
            try_files $uri =404;
            include /etc/nginx/fastcgi_params;
            include /etc/nginx/fastcgi.conf;
            fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
            include fastcgi_params;
            fastcgi_index index.php;
            fastcgi_intercept_errors on;
            fastcgi_split_path_info ^(.+\.php)(.*)$;
            fastcgi_read_timeout 864000;

        }
    
        location ~ /\.ht {
            deny all;
        }

    }
....
}

since the user for Nginx is http, I also check php.ini file the user and group set as http in file. I also changed the ownership of the folder, subfolders and files as http with:

chmod -R http:http exam/

it looks like this:

1838248 lrwxrwxrwx 1 http http   42 Eyl 13 17:42 exam

but still gives 403 Forbidden on browser with this error:

 2021/09/13 17:49:22 [error] 493923#493923: *4 open() "/usr/share/nginx/html/exam/index.php" failed (13: Permission denied), client: 127.0.0.1, server: localhost, request: "GET /exam HTTP/1.1", host: "localhost:9000"

It looks okay to me when I run commands like nginx -t or system status:

$ systemctl status nginx                                                                                               ✔ 
● nginx.service - A high performance web server and a reverse proxy server
     Loaded: loaded (/usr/lib/systemd/system/nginx.service; enabled; vendor preset: disabled)
     Active: active (running) since Mon 2021-09-13 18:15:16 +03; 16h ago
    Process: 494676 ExecStart=/usr/bin/nginx -g pid /run/nginx.pid; error_log stderr; (code=exited, status=0/SUCCESS)
   Main PID: 494677 (nginx)
      Tasks: 9 (limit: 19038)
     Memory: 8.4M
        CPU: 84ms
     CGroup: /system.slice/nginx.service
             ├─494677 nginx: master process /usr/bin/nginx -g pid /run/nginx.pid; error_log stderr;
             ├─494678 nginx: worker process
             ├─494679 nginx: worker process
             ├─494680 nginx: worker process
             ├─494681 nginx: worker process
             ├─494682 nginx: worker process
             ├─494683 nginx: worker process
             ├─494684 nginx: worker process
             └─494685 nginx: worker process

Eyl 13 18:15:16 arch-pc systemd[1]: Starting A high performance web server and a reverse proxy server...
Eyl 13 18:15:16 arch-pc systemd[1]: Started A high performance web server and a reverse proxy server.

But the status of php-fpm displays some errors:

● php-fpm.service - The PHP FastCGI Process Manager
     Loaded: loaded (/usr/lib/systemd/system/php-fpm.service; enabled; vendor preset: disabled)
     Active: active (running) since Mon 2021-09-13 15:10:21 +03; 19h ago
   Main PID: 20106 (php-fpm)
     Status: "Processes active: 0, idle: 3, Requests: 63, slow: 0, Traffic: 0req/sec"
      Tasks: 4 (limit: 19038)
     Memory: 15.9M
        CPU: 9.798s
     CGroup: /system.slice/php-fpm.service
             ├─ 20106 php-fpm: master process (/etc/php/php-fpm.conf)
             ├─ 20107 php-fpm: pool www
             ├─ 20108 php-fpm: pool www
             └─491072 php-fpm: pool www

Eyl 13 16:24:30 arch-pc phpMyAdmin[20108]: user denied: root (mysql-denied) from 127.0.0.1
Eyl 13 16:45:19 arch-pc phpMyAdmin[20107]: user denied: mysql (mysql-denied) from 127.0.0.1
Eyl 13 16:45:23 arch-pc phpMyAdmin[20108]: user denied: mysql (mysql-denied) from 127.0.0.1
Eyl 13 16:45:27 arch-pc phpMyAdmin[20107]: user denied: mysql (mysql-denied) from 127.0.0.1
Eyl 13 16:57:17 arch-pc phpMyAdmin[20108]: user denied: mysql (empty-denied) from 127.0.0.1
Eyl 13 16:57:20 arch-pc phpMyAdmin[20107]: user denied: mysql (empty-denied) from 127.0.0.1
Eyl 13 16:57:29 arch-pc phpMyAdmin[20108]: user denied: mysql (mysql-denied) from 127.0.0.1
Eyl 13 16:57:34 arch-pc phpMyAdmin[20107]: user denied: mysql (mysql-denied) from 127.0.0.1
Eyl 13 16:57:38 arch-pc phpMyAdmin[20108]: user denied: mysql (mysql-denied) from 127.0.0.1
Eyl 13 16:57:41 arch-pc phpMyAdmin[20107]: user denied: mysql (empty-denied) from 127.0.0.1

I have tried every solution I found, but it did not work. In /usr/share/nginx/html directory, there is phpmyadmin and it works fine.

I also tried simple PHP files that run "phpinfo();" even they are not working.

frostschutz · 2021-09-14 10:03:38

If you see a permission error, it usually is a permission error. Permissions need to be correct not only for the target file itself but also the whole path that leads to it. nginx and php are separate processes each running as a certain user or group, so make sure they can both reach the files.

What your `ls` is showing seems to be a symlink, and symlinks are special anyway, using symlinks might cause some confusion. Avoid symlinks if possible. Always check the permissions of the real files and paths.

/usr/share/nginx/html is a location nginx uses to display its standard welcome to nginx message. You should not use this location for anything else. Rather than putting symlinks in there, set nginx to use the correct location.

todesengel · 2021-09-14 10:20:46

Yeah, it was a symlink that under /usr/share/nginx/html. I did try to use the correct location as you said. But I'm still taking the same errors.

`ls` result In html file:

...
1838248 lrwxrwxrwx 1 http http   42 Eyl 13 17:42 exam -> /home/arch/projects/exam/
...

`ls` result in my project file:

...
24511371 drwxrwxrwx  9 http      http      4,0K Eyl  8 23:00  exam
...

But like I said I changed the nginx.conf file and redirect root to '/home/arch/projects/exam' still getting same errors.

frostschutz · 2021-09-14 11:28:48

The permissions apply to the entire path, so I can only guess that in your case, `/home/arch` and/or `/home/arch/projects` is restricted to arch user (owner arch:arch, chmod 750 so not world-readable) and thus `/home/arch/projects/exam` can not be reached, even if `exam` itself were owned by http user.

# check permissions for the entire path to file
ls -ld / /home /home/arch /home/arch/projects /home/arch/projects/exam /home/arch/projects/exam/index.php

You could relocate it to /srv/http/exam (with `/srv` being world readable, and `/srv/http` owned by http user) or alternatively have the nginx/php run as regular user - but that would give it access to everything owned by that user, so it only makes sense if you create a dedicated user account for each web project which then only owns webproject related stuff. In case of php-fpm this would also mean running a separate pool for each user. This can be very nice if you wish to prevent project A interfering with project B and vice versa - which PHP would otherwise be able to do as with a single/global pool, it's either permissions for everyone or no one.

todesengel · 2021-09-14 12:43:54

Moving project under to the `/srv/http` worked. Thanks for your help.

Arch Linux

#1 2021-09-14 07:23:03

nginx open() "directory/to/project" failed (13: Permission denied)

#2 2021-09-14 10:03:38

Re: nginx open() "directory/to/project" failed (13: Permission denied)

#3 2021-09-14 10:20:46

Re: nginx open() "directory/to/project" failed (13: Permission denied)

#4 2021-09-14 11:28:48

Re: nginx open() "directory/to/project" failed (13: Permission denied)

#5 2021-09-14 12:43:54

Re: nginx open() "directory/to/project" failed (13: Permission denied)

Board footer