Issue PHP 7 as PHP-FPM application, user and groups are www-data

[web3dprint]

I would like to switch from FastCGI application to PHP-FPM, but if I do so from the PHP settings of a domain that I manage under Plesk 12.5, the user that is executing the application is www-data, this causes problems of permissions with the FTP user files, which is the user that the FastCGI setting makes PHP run from.

I can verify this in my PrestaShop application, since the .htaccess file cannot be overwritten by PHP running PHP-FPM, if I manually delete it, I can see that it is generated under that user name and group.

$ ls -la
drwxr-x--- 26 domainuser psaserv 4.0K Jul 23 00:30 .
[...]
-rw-r--r-- 1 domainuser psacln 21K Jul 23 18:47 .htaccess
[...]
$ rm .htaccess

(change settings in Plesk, run app, regenerate .htaccess)
-rw-r--r-- 1 www-data www-data 4.1K Jul 23 19:04 .htaccess

So I could I change this? Thank you in advance.

 

[UFHH01]

Hi web3dprint,

consider to add the system-user, which runs your nginx-proxy ( mostly configured as system-user: "nginx" ) to the group "psacln", which isn't configured as a standard yet in Plesk, even that nginx is used on most servers, where Plesk is installed.

For Ubuntu/Debian based system, you would use the command:​

usermod -aG psacln nginx


Additional note:
"psacln" handles all PHP requests and therefore both system-users ( apache and nginx ) should be in this group.​

 

[web3dprint]

That means that I would need to make all files folders group writable, am I right?
Also, that wouldn't solve the fact that files would end up with mixed owners.

Is there really no other way to solve this? Feels like a bug to me.

I have to admit I'm no expert. But when I look at the configurations in /var/www/vhosts/system/domain.com/conf/httpd.conf I see that Apache is configured to use mod_suexec to run as the ftp user, why isn't the php-fpm configuration doing the same thing?

 

[UFHH01]

Hi web3dprint,

That means that I would need to make all files folders group writable, am I right?

No. Pls. ask yourself, WHY this should be necessary at all again?!?

Also, that wouldn't solve the fact that files would end up with mixed owners.

Sorry, but this is not correct.

IF you use apache in combination with nginx and PHP files are served over nginx, then the system-user "www-data" ( apache ) should be in the group "nginx" and the system-user "nginx" should be in the group "www-data".
Let's have another look to your global vhosts - docroot - settings:

/var/www/vhosts/YOUR-DOMAIN/httpdocs
/var/www/vhosts/YOUR-DOMAIN/YOUR-SUB-DOMAIN​

are owned by group "psaserv" and the corresponding "domain-system-user" of your domain.
The group "psaserv" should contain these standard - group-members: psaserv:x:XXXX:www-data,psaftp,psaadm,nginx ( where XXXX is the server-unique-group-ID )

But FILES and FOLDERS INSIDE of the above location, have the standard - permissions: group = psacln / user: domain-system-user
The group "psacln" should conatin these standard - group-members: psacln:x:1003:www-data

As I stated before, Plesk did not add the system-user "nginx" to the group "psacln", which is no bug at all, it's because the standard settings are based on APACHE-ONLY usage. NGINX itself is a addon, and not a standard.
The standard to serve PHP ist FastCGI and not PHP-FPM, but PHP-FPM - configuration files are configured with www-data : www-data - permissions in their standard - configuration. IF you now change your hosting - settings, that NGINX should serve PHP - files, pls. review your standard settings and you will notice, that in this case YOUR UNIQUE, domain-specific standard - setting misses permissions for NGINX in the group "psacln" - that's why I suggested, that you should consider to add the system-user "nginx" to the group "psacln" for your unique setting.​

Is there really no other way to solve this? Feels like a bug to me.

If you really feel this way, it's absolutely o.k. - but I can't see any reason for that. You might consider to discuss that here in the forum, but I'm the wrong person for discussions. I just would like to help you to solve your issue.

I have to admit I'm no expert. But when I look at the configurations in /var/www/vhosts/system/domain.com/conf/httpd.conf I see that Apache is configured to use mod_suexec to run as the ftp user, why isn't the php-fpm configuration doing the same thing?

"mod_suexec" handles "CGI scripts" - permissions, not PHP permissions.

 

[web3dprint]

Thank you very much for your informative answer. Actually at this point I don't even know if I'm trying to do the right thing here.

The setting I'd like to use is one that Plesk offers, it's FPM application served by Apache (see screenshot). I want Apache to serve the PHP, because the cms that I'm using makes assumptions on it and sincerely I'd prefer to first see other options rather then switching to niginx-only (which would require some work in converting configuration files and other things). Does it even make sense to have nginx reverse proxy in front of Apache with FPM then? I'm sincerely asking, I don't look into optimising PHP since a while.

Screenshot (unfortunately I can only have one language, which is Italian):

When you did suggest to add user nginx to psacln, I did so.

But as you said, files and folders inside httpdocs are owned by domain-system-usersacln. Doesn't that mean that for user nginxsacln to write to those files it needs to have group access? Because it is not the owner, domain-system-user is. Actually, with the setting that I'm describing above, the nginx user wouldn't even be involved at all, no?

My feelings come from a bit of both ignorance and frustration

 

[UFHH01]

Hi web3dprint,

But as you said, files and folders inside httpdocs are owned by domain-system-usersacln. Doesn't that mean that for user nginxsacln to write to those files it needs to have group access? Because it is not the owner, domain-system-user is. Actually, with the setting that I'm describing above, the nginx user wouldn't even be involved at all, no?

No.... please don't mix things - you will get into trouble, issues, problems.....

/var/www/vhosts/YOUR-DOMAIN/httpdocs
/var/www/vhosts/YOUR-DOMAIN/YOUR-SUB-DOMAIN​

are owned by group "psaserv" and the corresponding "domain-system-user" of your domain.
The group "psaserv" should contain these standard - group-members: psaserv:x:XXXX:www-data,psaftp,psaadm,nginx ( where XXXX is the server-unique-group-ID )

But FILES and FOLDERS INSIDE of the above location, have the standard - permissions: group = psacln / user: domain-system-user
The group "psacln" should conatin these standard - group-members: psacln:x:1003:www-data

You should never use other permissions, when you modify folders and files!

my PrestaShop application

IF you use "PrestaShop", you should consider to use "FPM servito da nginx" and add as additional nginx - directives, as documented in the official PrestaShop - documentations:

location /PRESTASHOP_FOLDER/ {
  index /PRESTASHOP_FOLDER/index.php;
  rewrite ^/PRESTASHOP_FOLDER/api/?(.*)$ /PRESTASHOP_FOLDER/webservice/dispatcher.php?url=$1 last;
  rewrite ^/PRESTASHOP_FOLDER/([0-9])(-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$ /PRESTASHOP_FOLDER/img/p/$1/$1$2.jpg last;
  rewrite ^/PRESTASHOP_FOLDER/([0-9])([0-9])(-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$ /PRESTASHOP_FOLDER/img/p/$1/$2/$1$2$3.jpg last;
  rewrite ^/PRESTASHOP_FOLDER/([0-9])([0-9])([0-9])(-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$ /PRESTASHOP_FOLDER/img/p/$1/$2/$3/$1$2$3$4.jpg last;
  rewrite ^/PRESTASHOP_FOLDER/([0-9])([0-9])([0-9])([0-9])(-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$ /PRESTASHOP_FOLDER/img/p/$1/$2/$3/$4/$1$2$3$4$5.jpg last;
  rewrite ^/PRESTASHOP_FOLDER/([0-9])([0-9])([0-9])([0-9])([0-9])(-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$ /PRESTASHOP_FOLDER/img/p/$1/$2/$3/$4/$5/$1$2$3$4$5$6.jpg last;
  rewrite ^/PRESTASHOP_FOLDER/([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])(-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$ /PRESTASHOP_FOLDER/img/p/$1/$2/$3/$4/$5/$6/$1$2$3$4$5$6$7.jpg last;
  rewrite ^/PRESTASHOP_FOLDER/([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])(-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$ /PRESTASHOP_FOLDER/img/p/$1/$2/$3/$4/$5/$6/$7/$1$2$3$4$5$6$7$8.jpg last;
  rewrite ^/PRESTASHOP_FOLDER/([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])(-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$ /PRESTASHOP_FOLDER/img/p/$1/$2/$3/$4/$5/$6/$7/$8/$1$2$3$4$5$6$7$8$9.jpg last;
  rewrite ^/PRESTASHOP_FOLDER/c/([0-9]+)(-[_a-zA-Z0-9-]*)(-[0-9]+)?/.+\.jpg$ /PRESTASHOP_FOLDER/img/c/$1$2.jpg last;
  rewrite ^/PRESTASHOP_FOLDER/c/([a-zA-Z-]+)(-[0-9]+)?/.+\.jpg$ /PRESTASHOP_FOLDER/img/c/$1.jpg last;
  rewrite ^/PRESTASHOP_FOLDER/([0-9]+)(-[_a-zA-Z0-9-]*)(-[0-9]+)?/.+\.jpg$ /PRESTASHOP_FOLDER/img/c/$1$2.jpg last;
  try_files $uri $uri/ /PRESTASHOP_FOLDER/index.php?$args;
}

=> http://doc.prestashop.com/display/PS16/System+Administrator+Guide ( "Nginx friendly URLs" )​

When you did suggest to add user nginx to psacln, I did so.

This does absolutely not mean, that you should modify the permissions INSIDE "/var/www/vhosts/YOUR-DOMAIN/httpdocs" or/and "/var/www/vhosts/YOUR-DOMAIN/YOUR-SUB-DOMAIN" to something different than:

psacln:domain-system-user

When we talk about linux configurations, the FIRST name is always the GROUP, the SECOND name is always the USER!​

These permissions stay like this, either if you use apache2, apache2+nginx, or apache2+nginx+fpm !​

 

[web3dprint]

Again, thank you for your feedback. In the end I'm not sure if we are going to do the move. Thing is it's not just the rewriting rules for PrestaShop, there are more subtle changes that would need to happen. For example, I'd need to train people that are used to writing redirects in .htaccess files (I know, not the best, but we'd need more work to change that) and there are modules and components of PrestaShop that would need to be checked because they have some custom .htaccess in their subfolders. At this point, we don't need to move to fpm, I just wanted to try. But in our specific case we rather stay with FastCGI and keep Apache. If it were just for me, I'd take it and make the switch. Just to clarify, I previously wrote username:group because that's generally the order you get from ls -l listing But it's true that getent does list in the other way around, and I guess that's a better way to represent it when talking about it. Thank you for the clarifications. Anyway, to me was clear which part was user and which was group.

I came here because the last thing I'd like to do is change permissions to work around php settings. I still don't fully understand why Apache+FPM wouldn't play nicely with permissions, basically being www-data:www-data.

 

[web3dprint]

As a test I recreated my setup in a local VM: Ubuntu 14.04, Plesk 12.5 (trial) and setup nginx reverse proxy in front of apache with php-fpm and it works flawlessly. The user running the pool is the system-domain-user. So I checked back on my running Plesk configuration. When I enabled FPM served by Apache, and open the phpinfo page, i see this:

A quick look around on Google but I don't understand what is going on. In the trial Plesk this section doesn't even appear, and I'm not sure how it appear in the first place. Any suggestions on how to fix it?

 

[UFHH01]

Hi web3dprint,

consider to post the depending PHP5-FPM - configuration file ( named as "YOUR-DOMAIN.COM.conf" or "SUBDOMAIN.YOUR-DOMAIN.COM.conf" ), if you would like help with investigations, otherwise people willing to help you have to digg in the dark and suggestions may not solve your issues/problems.
Plesk PHP5-FPM - configuration files are located in the depending PHP - folder at "/opt/plesk/php/X.X/etc/php-fpm.d".
You could use as well "locate" over the command line, to search for your file: "locate YOUR-DOMAIN.COM.conf | grep fpm".

Sometimes, the build-process of configuration files may have issues/problems, which could be investigated by viewing the Plesk - log - files ( /usr/local/psa/admin/logs/panel.log ).
Sometimes, it is as well a good idea to change the log - level, to get more informations in psa - log - files:

How to enable/disable debug logging in Plesk 11.5 and up? ( KB - article 120 101 )​

Old *.conf files might still exist, or new ones could have not been created. It is often a good idea to investigate as well the depending php-fpm - log - files, to see if possible misconfigurations lead to issues/problems/failures. You should find the log - files always at "/var/log/*".

 

[web3dprint]

So, these are the contents of /opt/plesk/php/7.0/etc/php-fpm.d/{domain}.conf :

; ATTENTION!
;
; DO NOT MODIFY THIS FILE BECAUSE IT WAS GENERATED AUTOMATICALLY,
; SO ALL YOUR CHANGES WILL BE LOST THE NEXT TIME THE FILE IS GENERATED.

; If you need to customize this file, use either custom PHP settings tab in
; Panel or override settings in /var/www/vhosts/system/{domain}/conf/php.ini.
; To override pool configuration options, specify them in [php-fpm-pool-settings]
; section of /var/www/vhosts/system/{domain}/conf/php.ini file.

[{domain}]
; Don't override following options, they are relied upon by Plesk internally
prefix = /var/www/vhosts/system/$pool
user = {domain-user}
group = psacln

listen = php-fpm.sock
listen.owner = root
listen.group = psaserv
listen.mode = 0660

; Following options can be overridden
chdir = /

; By default use ondemand spawning (this requires php-fpm >= 5.3.9)
pm = ondemand
pm.max_children = 5
pm.process_idle_timeout = 10s
; Following pm.* options are used only when 'pm = dynamic'
pm.start_servers = 1
pm.min_spare_servers = 1
pm.max_spare_servers = 1

; Uses for log facility
; If php_value[error_log] is not defined error output will be send for nginx
catch_workers_output = yes

; php.ini custom configuration directives
php_value[newrelic.license] = "[...]"
php_value[upload_max_filesize] = 10M
php_value[post_max_size] = 16M
php_value[open_basedir] = "/var/www/vhosts/{domain}/:/tmp/"

Besides the custom directives, it looks exactly as it does on the fresh trial install.

I'll do as you said and look for other configs and logs, reporting back soon.

 

[UFHH01]

Hi web3dprint,

; ATTENTION!
;
; DO NOT MODIFY THIS FILE BECAUSE IT WAS GENERATED AUTOMATICALLY,
; SO ALL YOUR CHANGES WILL BE LOST THE NEXT TIME THE FILE IS GENERATED.

; If you need to customize this file, use either custom PHP settings tab in
; Panel or override settings in /var/www/vhosts/system/{domain}/conf/php.ini.
; To override pool configuration options, specify them in [php-fpm-pool-settings]
; section of /var/www/vhosts/system/{domain}/conf/php.ini file.

[{domain}]
; Don't override following options, they are relied upon by Plesk internally
prefix = /var/www/vhosts/system/$pool
user = {domain-user}
group = psacln

listen = php-fpm.sock
listen.owner = root
listen.group = psaserv
listen.mode = 0660

; Following options can be overridden
chdir = /

; By default use ondemand spawning (this requires php-fpm >= 5.3.9)
pm = ondemand
pm.max_children = 5
pm.process_idle_timeout = 10s
; Following pm.* options are used only when 'pm = dynamic'
pm.start_servers = 1
pm.min_spare_servers = 1
pm.max_spare_servers = 1

; Uses for log facility
; If php_value[error_log] is not defined error output will be send for nginx
catch_workers_output = yes

; php.ini custom configuration directives
php_value[newrelic.license] = "[...]"
php_value[upload_max_filesize] = 10M
php_value[post_max_size] = 16M
php_value[open_basedir] = "/var/www/vhosts/{domain}/:/tmp/"

... all fine here... no misconfigurations.

 

[web3dprint]

From what I can tell it is not domain specific: I created a new domain on the live plesk, and if I use the same setting (fpm served by apache) it suffers the same issues, basically loading apache2handler. So it's a system-level thing, I guess? Is this a setting of PHP or Apache itself?

Even stranger… whenever i set FPM, even if I set Plesk's PHP version 7, phpinfo reports that is being used the OS-supplied version of php 5.5… I think I'm losing my mind on this. I'll just stay on FastCGi and whenever we need to change VPS I'll try again in the future…