I have setup an Apache+PHP-FPM environment and I have set the following in the PHP-FPM pool file:
[www]
user = mary
group = mary
listen = 127.0.0.1:9000
pm = dynamic
pm.max_children = 8
pm.start_servers = 4
pm.min_spare_servers = 2
pm.max_spare_servers = 4
pm.max_requests = 50
Everything is fine. I have confirmed in the phpinfo that it's running in PHP-FPM, and it's also running as the user mary by the following codes:
<?php
echo `whoami`;
?>
I have set 0750 permissions on htdocs recursively (everything inside this folder also inherits these permissions):
owner: mary RWX
group: www-data RX
It's running fine. But since I am running as mary in PHP-FPM, I think Apache does not actually need to have access to htdocs.
So I tried to set 0700 on htdocs also recursively, which actually means only allowing the owner mary to have RWX permissions on this folder. But then I got permission denied when I access the pages in htdocs, which does not happen when using 0750.
Why does Apache still need access to htdocs in this situation?
Apache is reading your file then passing it to php-fpm. By not giving Apache access to the file, it has no way of passing the file to the interpreter. It must have read access to these files.
My guess would be that PHP might be running as mary but apache still need rx to read the php file prior to executing it.
Show us the way you have connected php-fpm and apache, there's certainly some Directory -- or such -- instructions on the Apache side , or maybe you've used mod_proxy_fcgid?
If not then Apache is quite certainly forbidding the access before any fastcgi task gets tested. Using debug log level in Apache could certainly show the difference between the request with apache access allowed on the directory and without.