Correct Nginx Apache Sessions Permissions

Hi,

I installed apache but then installed nginx and now my sessions are broken:

2022/09/24 22:46:37 [error] 3672775#0: *2 FastCGI sent in stderr:
"PHP message: PHP Warning:  session_start():
open(/var/lib/php/session/sess_afuki7km5g40hn178l8v7d0jl5,
O_RDWR) failed: Permission denied (13) in /path/to/some/file.php on line 6
...

because stuff has group “apache”:

[root@mach php-fpm.d]# cat www.conf
...
php_value[session.save_handler] = files
php_value[session.save_path]    = /var/lib/php/session
php_value[soap.wsdl_cache_dir]  = /var/lib/php/wsdlcache
;php_value[opcache.file_cache]  = /var/lib/php/opcache
[root@mach php-fpm.d]# ls -l /var/lib/php/
total 16
drwxrwx--- 2 root apache 4096 May 30  2021 opcache
drwxr-xr-x 2 root root   4096 May 30  2021 peclxml
drwxrwx--- 2 root apache 4096 May 30  2021 session
drwxrwx--- 2 root apache 4096 May 30 ...the Rocky Linux ... 2021 wsdlcache
[root@mach php-fpm.d]#

How do I undo / correct this?

Trying to remove httpd and delete the apache user didn’t go well:

[root@mach php-fpm.d]# userdel -r "apache"
userdel: apache mail spool (/var/spool/mail/apache) not found
userdel: /usr/share/httpd not owned by apache, not removing
[root@mach php-fpm.d]# ls -l /var/lib/php/
total 16
drwxrwx--- 2 root   48 4096 May 30  2021 opcache
drwxr-xr-x 2 root root 4096 May 30  2021 peclxml
drwxrwx--- 2 root   48 4096 May 30  2021 session
drwxrwx--- 2 root   48 4096 May 30  2021 wsdlcache

I could just manually change it but I have to wonder what else has the (now broken) apache group.

Ideas?

Mike

Hi Mike,

There are a couple of things you need to get this working.

First you’ll have change ownership of the folders to nginx.

setfacl -R -m u:nginx:rwx /var/lib/php/opcache/
setfacl -R -m u:nginx:rwx /var/lib/php/session/
setfacl -R -m u:nginx:rwx /var/lib/php/wsdlcache/

And change the user and group in your www.conf to nginx.

If you still encounter problems afterwords you can check the ownership and SElinux configuration of your webroot folder. You can see the SElinux file context of a folder with the following command:

ls -lZ /var/www/html/

drwxr-xr-x. 15 nginx nginx unconfined_u:object_r:httpd_sys_rw_content_t:s0      4096 Sep 10 02:51 nextcloud  

You can see the folder has httpd_sys_rw_content_t written in it’s context. This is telling SElinux it’s ok that the webserver/PHP can write and read in this folder.

So the following two commands are sometimes necessary for your webroot folder. I’ll use my nextcloud folder from above example.

chown -R nginx:nginx /usr/share/nginx/nextcloud-data
chcon -t httpd_sys_rw_content_t /var/www/html/nextcloud -R

First one is for changin the user, second one for giving read/write access on the folder.

I think this should be enought to get things working.

Good luck!

The following seems to have fixed it:

# chown root:nginx opcache/ session/ wsdlcache/

But I suppose a -R would have been in order if the caches had any files in them.

So are we using setfacl now instead of chown? And chmod? Always?

I still feel young but the fact that I’ve been using Linux since kernel 2.0.35 is starting to feel more like a liability than “experience”.

Default php-fpm runs under the apache account and use /var/lib/php/session

This is perfectly fine, especially as most packaged web app expect this. Ex: nginx + php-fpm + phpMyAdmin (from EPEL) works out-of-the-box, without any configuration change.

If you change the user running the fpm pool, you MUST use other directories (ex /var/lib/php/user_session) in the pool configuration file and set the proper permissions.

As explained in the www.conf file (in recent versions):

; Set the following data paths to directories owned by the FPM process user.
;
; Do not change the ownership of existing system directories, if the process
; user does not have write permission, create dedicated directories for this
; purpose.
;
; See warning about choosing the location of these directories on your system
; at http://php.net/session.save-path
php_value[session.save_handler] = files
php_value[session.save_path]    = /var/lib/php/session
php_value[soap.wsdl_cache_dir]  = /var/lib/php/wsdlcache
;php_value[opcache.file_cache]  = /var/lib/php/opcache

Else permissions will be restored to default (apache) during PHP update.

Well that’s annoying.

If I did the following:

setfacl -m g:nginx:rwx /var/lib/php/session

would it resolve the permissions issue with nginx writing sessions there?

Would a php update break this?

Would a php update break this?

Yes.

You should definitively use another set of directories (or simply use default “apache” account)

Will do.

But I’m just curious as to how one might use the apache account. Are you suggesting that nginx run under the apache account?

nginx runs under the nginx user and need read permission on static files
fpm runs under the apache user and need read permission on php files and write permission on some directories (session, temp, upload, …)

You can consider “apache” as the “www-data” of some other distributions.

So I should not have deleted the builtin apache user. That’s what I get for using google to configure my machine which generally suggests changing php-fpm user / group to nginx.

I have restored the apache user:

# groupadd -r -g 48 apache
# useradd -r -u 48 -g 48 -M -d /usr/share/httpd -s /sbin/nologin

changed /etc/php-fpm.d/www.conf and /var/lib/php dirs to stock and everything seems to be working fine.

php-fpm has a fixed idea on whom should own files. It’s either nginx or apache, but pay attention to how it’s set.

What I found was a week of pain trying to switch it, only to have it reverted with each upgrade. Just go with what it’s chosen, set your perms regardless, and be happy.