DEV Community

pallade
pallade

Posted on

php-fpm says: Failed to open stream: Permission denied

This is an error message I recently debugged with PHP-fpm on Apache2 and Ubuntu (other webservers will behave the same way).

Thu Apr 13 09:23:02.625178 2023] [proxy_fcgi:error] [pid 233355] [client XXX.XXX.XXX.XXX:46074] AH01071: Got error 'PHP message: PHP Warning: PHP Request Startup: Failed to open stream: Permission denied in Unknown on line 0; Unable to open primary script: /ZZZ/XXX/YYY/public_html/index.php (Permission denied)', referer: http://XXXXX.com/

What does this error say?

  1. Apache connected correctly to the php-fpm backend, so the issue is not to be researched at apache level
  2. php-fpm correctly identified the file (/ZZZ/XXX/YYY/public_html/index.php) so both the Apache2 instructions and the pool are configured correctly
  3. php-fpm could not read the file due to permissions denied

What to check:

  • First, check how does the pool read the file. You can do that simply by calling ps aux | grep php-fpm
  • Then, see if the user can effectively read the file: sudo -u PHP_FPM_USER less /ZZZ/XXX/YYY/public_html/index.php. If this gives a permission denied, then you need to add permissions to the file (and, possibly, add a "x" permission to the path upstream to it).
  • If the php-fpm user can read the file, then something else is blocking it, and it is not system file permissions!

In Ubuntu the most probable culprit will be Apparmor. The solution is quite easy however: add your path to the allowed list of directories that php-fpm can read. You can use some magic to make this general.

Edit /etc/apparmor.d/php-fpm and add something like:

/ZZZ/*/YYY/site/** rw,

this will, for example, allow PHP to read:

  • /ZZZ/somesite/YYY/site/index.php
  • /ZZZ/somesite/YYY/site/public_html/anything.php
  • /ZZZ/othersite/YYY/site/public_html/hello.jpg

Then restart apparmor and it should work.

Top comments (0)