Why does php-fpm ignore permissions defined for supplementary groups?

Question

I have a user on my Linux machine ("php") that is a member of two groups. The primary group is "php" and a supplementary group is "www".

I have a directory on my Linux machine (/home/www/public/wp-content/uploads) whose user is www and whose group is www and whose permissions are set to 775.

I expect that a process running as the "php" user should be able to read and write files in that directory. If I run a script from the command line that fopen's a file in that directory as the "php" user, it works fine!

However if I start php-fpm with user "php" and group "php", I get a "permission denied" error when trying to write to that directory.

I expect that the php-fpm process should still be able to write to that directory, since it's running as the "php" user, which is part of the "www" group that owns the directory. But I get "permission denied."

Why does the php-fpm behavior differ from the behavior from a php script?

(I restarted php-fpm after I added the secondary group, so it's not a staleness issue.)

Answer 1

It looks like the php-fpm source code calls setgid here: https://github.com/php/php-src/blob/master/sapi/fpm/fpm/fpm_unix.c#L383-L386

        if (0 > setgid(wp->set_gid)) {
            zlog(ZLOG_SYSERROR, "[pool %s] failed to setgid(%d)", wp->config->name, wp->set_gid);
            return -1;
        }

As far as I am able to determine, a process cannot access permissions available to supplementary groups after it invokes setgid, so I'm SOL.

Answer 2

Most likely you configured the fpm daemon poorly, you would need to specify the group in the conf file like this: [php] group=php