[{"data":1,"prerenderedAt":1455},["ShallowReactive",2],{"\u002Ffix-issues\u002Fgunicorn-socket-permission-denied-fix-guide":3},{"id":4,"title":5,"body":6,"description":1445,"extension":1446,"meta":1447,"navigation":119,"path":1451,"seo":1452,"stem":1453,"__hash__":1454},"content\u002Ffix-issues\u002Fgunicorn-socket-permission-denied-fix-guide.md","Gunicorn Socket Permission Denied (Fix Guide)",{"type":7,"value":8,"toc":1434},"minimark",[9,13,17,22,25,220,223,227,238,242,890,893,902,905,917,920,927,930,938,941,947,954,957,982,986,1072,1076,1079,1208,1211,1255,1268,1272,1340,1344,1366,1370,1381,1396,1411,1423,1427,1430],[10,11,5],"h1",{"id":12},"gunicorn-socket-permission-denied-fix-guide",[14,15,16],"p",{},"If you're seeing a permission denied error on a Gunicorn socket or Nginx cannot access the Gunicorn Unix socket, this guide shows you how to fix it step-by-step. The goal is to restore communication between Nginx, systemd, and Gunicorn and confirm the app serves requests normally.",[18,19,21],"h2",{"id":20},"quick-fix-quick-setup","Quick Fix \u002F Quick Setup",[14,23,24],{},"Run the following with your actual Gunicorn service user and socket path:",[26,27,32],"pre",{"className":28,"code":29,"language":30,"meta":31,"style":31},"language-bash shiki shiki-themes github-light github-dark","sudo usermod -aG www-data gunicorn\nsudo install -d -m 775 -o gunicorn -g www-data \u002Frun\u002Fgunicorn\nsudo chown gunicorn:www-data \u002Frun\u002Fgunicorn\nsudo chmod 775 \u002Frun\u002Fgunicorn\n\n# example systemd values\n# User=gunicorn\n# Group=www-data\n# UMask=0007\n# ExecStart=\u002Fpath\u002Fto\u002Fvenv\u002Fbin\u002Fgunicorn --workers 3 --bind unix:\u002Frun\u002Fgunicorn\u002Fapp.sock wsgi:app\n\nsudo systemctl daemon-reload\nsudo systemctl restart gunicorn\nsudo nginx -t && sudo systemctl reload nginx\nls -lah \u002Frun\u002Fgunicorn \u002Frun\u002Fgunicorn\u002Fapp.sock\n","bash","",[33,34,35,58,89,102,114,121,128,134,140,146,152,157,168,180,205],"code",{"__ignoreMap":31},[36,37,40,44,48,52,55],"span",{"class":38,"line":39},"line",1,[36,41,43],{"class":42},"sScJk","sudo",[36,45,47],{"class":46},"sZZnC"," usermod",[36,49,51],{"class":50},"sj4cs"," -aG",[36,53,54],{"class":46}," www-data",[36,56,57],{"class":46}," gunicorn\n",[36,59,61,63,66,69,72,75,78,81,84,86],{"class":38,"line":60},2,[36,62,43],{"class":42},[36,64,65],{"class":46}," install",[36,67,68],{"class":50}," -d",[36,70,71],{"class":50}," -m",[36,73,74],{"class":50}," 775",[36,76,77],{"class":50}," -o",[36,79,80],{"class":46}," gunicorn",[36,82,83],{"class":50}," -g",[36,85,54],{"class":46},[36,87,88],{"class":46}," \u002Frun\u002Fgunicorn\n",[36,90,92,94,97,100],{"class":38,"line":91},3,[36,93,43],{"class":42},[36,95,96],{"class":46}," chown",[36,98,99],{"class":46}," gunicorn:www-data",[36,101,88],{"class":46},[36,103,105,107,110,112],{"class":38,"line":104},4,[36,106,43],{"class":42},[36,108,109],{"class":46}," chmod",[36,111,74],{"class":50},[36,113,88],{"class":46},[36,115,117],{"class":38,"line":116},5,[36,118,120],{"emptyLinePlaceholder":119},true,"\n",[36,122,124],{"class":38,"line":123},6,[36,125,127],{"class":126},"sJ8bj","# example systemd values\n",[36,129,131],{"class":38,"line":130},7,[36,132,133],{"class":126},"# User=gunicorn\n",[36,135,137],{"class":38,"line":136},8,[36,138,139],{"class":126},"# Group=www-data\n",[36,141,143],{"class":38,"line":142},9,[36,144,145],{"class":126},"# UMask=0007\n",[36,147,149],{"class":38,"line":148},10,[36,150,151],{"class":126},"# ExecStart=\u002Fpath\u002Fto\u002Fvenv\u002Fbin\u002Fgunicorn --workers 3 --bind unix:\u002Frun\u002Fgunicorn\u002Fapp.sock wsgi:app\n",[36,153,155],{"class":38,"line":154},11,[36,156,120],{"emptyLinePlaceholder":119},[36,158,160,162,165],{"class":38,"line":159},12,[36,161,43],{"class":42},[36,163,164],{"class":46}," systemctl",[36,166,167],{"class":46}," daemon-reload\n",[36,169,171,173,175,178],{"class":38,"line":170},13,[36,172,43],{"class":42},[36,174,164],{"class":46},[36,176,177],{"class":46}," restart",[36,179,57],{"class":46},[36,181,183,185,188,191,195,197,199,202],{"class":38,"line":182},14,[36,184,43],{"class":42},[36,186,187],{"class":46}," nginx",[36,189,190],{"class":50}," -t",[36,192,194],{"class":193},"sVt8B"," && ",[36,196,43],{"class":42},[36,198,164],{"class":46},[36,200,201],{"class":46}," reload",[36,203,204],{"class":46}," nginx\n",[36,206,208,211,214,217],{"class":38,"line":207},15,[36,209,210],{"class":42},"ls",[36,212,213],{"class":50}," -lah",[36,215,216],{"class":46}," \u002Frun\u002Fgunicorn",[36,218,219],{"class":46}," \u002Frun\u002Fgunicorn\u002Fapp.sock\n",[14,221,222],{},"Use the actual Gunicorn service user and socket path from your setup. The Nginx worker user must be able to traverse the socket directory and read\u002Fwrite the socket.",[18,224,226],{"id":225},"whats-happening","What’s Happening",[14,228,229,230,233,234,237],{},"Gunicorn creates a Unix socket file and Nginx connects to it instead of a TCP port. A permission denied error usually means Nginx cannot access the socket file or its parent directory. The usual causes are mismatched users\u002Fgroups, restrictive directory permissions, a bad ",[33,231,232],{},"UMask",", or ",[33,235,236],{},"\u002Frun"," being recreated with the wrong ownership on restart.",[18,239,241],{"id":240},"step-by-step-guide","Step-by-Step Guide",[243,244,245,345,407,461,540,668,712,790,830,885],"ol",{},[246,247,248,252,255,256,280,282,283,310,312,313,328,330,331,342,344],"li",{},[249,250,251],"strong",{},"Identify the socket path used by Nginx and Gunicorn",[253,254],"br",{},"Check your Nginx site config:",[26,257,259],{"className":28,"code":258,"language":30,"meta":31,"style":31},"sudo grep -R \"unix:\" \u002Fetc\u002Fnginx\u002Fsites-enabled \u002Fetc\u002Fnginx\u002Fconf.d\n",[33,260,261],{"__ignoreMap":31},[36,262,263,265,268,271,274,277],{"class":38,"line":39},[36,264,43],{"class":42},[36,266,267],{"class":46}," grep",[36,269,270],{"class":50}," -R",[36,272,273],{"class":46}," \"unix:\"",[36,275,276],{"class":46}," \u002Fetc\u002Fnginx\u002Fsites-enabled",[36,278,279],{"class":46}," \u002Fetc\u002Fnginx\u002Fconf.d\n",[253,281],{},"Example:",[26,284,288],{"className":285,"code":286,"language":287,"meta":31,"style":31},"language-nginx shiki shiki-themes github-light github-dark","location \u002F {\n    include proxy_params;\n    proxy_pass http:\u002F\u002Funix:\u002Frun\u002Fgunicorn\u002Fapp.sock;\n}\n","nginx",[33,289,290,295,300,305],{"__ignoreMap":31},[36,291,292],{"class":38,"line":39},[36,293,294],{},"location \u002F {\n",[36,296,297],{"class":38,"line":60},[36,298,299],{},"    include proxy_params;\n",[36,301,302],{"class":38,"line":91},[36,303,304],{},"    proxy_pass http:\u002F\u002Funix:\u002Frun\u002Fgunicorn\u002Fapp.sock;\n",[36,306,307],{"class":38,"line":104},[36,308,309],{},"}\n",[253,311],{},"Check your Gunicorn service:",[26,314,316],{"className":28,"code":315,"language":30,"meta":31,"style":31},"systemctl cat gunicorn\n",[33,317,318],{"__ignoreMap":31},[36,319,320,323,326],{"class":38,"line":39},[36,321,322],{"class":42},"systemctl",[36,324,325],{"class":46}," cat",[36,327,57],{"class":46},[253,329],{},"Look for:",[26,332,336],{"className":333,"code":334,"language":335,"meta":31,"style":31},"language-ini shiki shiki-themes github-light github-dark","ExecStart=\u002Fpath\u002Fto\u002Fvenv\u002Fbin\u002Fgunicorn --workers 3 --bind unix:\u002Frun\u002Fgunicorn\u002Fapp.sock wsgi:app\n","ini",[33,337,338],{"__ignoreMap":31},[36,339,340],{"class":38,"line":39},[36,341,334],{},[253,343],{},"The paths must match exactly.",[246,346,347,350,352,353,378,380,381,400,402,403,406],{},[249,348,349],{},"Confirm which user Nginx runs as",[253,351],{},"Run:",[26,354,356],{"className":28,"code":355,"language":30,"meta":31,"style":31},"ps -eo user,group,cmd | grep 'nginx: worker'\n",[33,357,358],{"__ignoreMap":31},[36,359,360,363,366,369,373,375],{"class":38,"line":39},[36,361,362],{"class":42},"ps",[36,364,365],{"class":50}," -eo",[36,367,368],{"class":46}," user,group,cmd",[36,370,372],{"class":371},"szBVR"," |",[36,374,267],{"class":42},[36,376,377],{"class":46}," 'nginx: worker'\n",[253,379],{},"Or inspect:",[26,382,384],{"className":28,"code":383,"language":30,"meta":31,"style":31},"grep -n \"^user\" \u002Fetc\u002Fnginx\u002Fnginx.conf\n",[33,385,386],{"__ignoreMap":31},[36,387,388,391,394,397],{"class":38,"line":39},[36,389,390],{"class":42},"grep",[36,392,393],{"class":50}," -n",[36,395,396],{"class":46}," \"^user\"",[36,398,399],{"class":46}," \u002Fetc\u002Fnginx\u002Fnginx.conf\n",[253,401],{},"On Ubuntu, the worker user is usually ",[33,404,405],{},"www-data",".",[246,408,409,412,414,415,427,330,429,454,456,457,460],{},[249,410,411],{},"Confirm which user and group Gunicorn runs as",[253,413],{},"Inspect the service:",[26,416,417],{"className":28,"code":315,"language":30,"meta":31,"style":31},[33,418,419],{"__ignoreMap":31},[36,420,421,423,425],{"class":38,"line":39},[36,422,322],{"class":42},[36,424,325],{"class":46},[36,426,57],{"class":46},[253,428],{},[26,430,432],{"className":333,"code":431,"language":335,"meta":31,"style":31},"[Service]\nUser=gunicorn\nGroup=www-data\nUMask=0007\n",[33,433,434,439,444,449],{"__ignoreMap":31},[36,435,436],{"class":38,"line":39},[36,437,438],{},"[Service]\n",[36,440,441],{"class":38,"line":60},[36,442,443],{},"User=gunicorn\n",[36,445,446],{"class":38,"line":91},[36,447,448],{},"Group=www-data\n",[36,450,451],{"class":38,"line":104},[36,452,453],{},"UMask=0007\n",[253,455],{},"If ",[33,458,459],{},"Group="," is missing, add it explicitly.",[246,462,463,466,468,469,472,473,500,502,503,517,519,520],{},[249,464,465],{},"Fix the socket directory permissions",[253,467],{},"If you use ",[33,470,471],{},"\u002Frun\u002Fgunicorn",", create it with access for the Nginx group:",[26,474,476],{"className":28,"code":475,"language":30,"meta":31,"style":31},"sudo install -d -m 775 -o gunicorn -g www-data \u002Frun\u002Fgunicorn\n",[33,477,478],{"__ignoreMap":31},[36,479,480,482,484,486,488,490,492,494,496,498],{"class":38,"line":39},[36,481,43],{"class":42},[36,483,65],{"class":46},[36,485,68],{"class":50},[36,487,71],{"class":50},[36,489,74],{"class":50},[36,491,77],{"class":50},[36,493,80],{"class":46},[36,495,83],{"class":50},[36,497,54],{"class":46},[36,499,88],{"class":46},[253,501],{},"Validate:",[26,504,506],{"className":28,"code":505,"language":30,"meta":31,"style":31},"ls -ld \u002Frun\u002Fgunicorn\n",[33,507,508],{"__ignoreMap":31},[36,509,510,512,515],{"class":38,"line":39},[36,511,210],{"class":42},[36,513,514],{"class":50}," -ld",[36,516,88],{"class":46},[253,518],{},"Expected pattern:",[26,521,523],{"className":28,"code":522,"language":30,"meta":31,"style":31},"drwxrwxr-x 2 gunicorn www-data ...\n",[33,524,525],{"__ignoreMap":31},[36,526,527,530,533,535,537],{"class":38,"line":39},[36,528,529],{"class":42},"drwxrwxr-x",[36,531,532],{"class":50}," 2",[36,534,80],{"class":46},[36,536,54],{"class":46},[36,538,539],{"class":46}," ...\n",[246,541,542,545,547,548,567,569,570,662,664,665,667],{},[249,543,544],{},"Fix the Gunicorn systemd unit",[253,546],{},"Edit the unit:",[26,549,551],{"className":28,"code":550,"language":30,"meta":31,"style":31},"sudo systemctl edit --full gunicorn\n",[33,552,553],{"__ignoreMap":31},[36,554,555,557,559,562,565],{"class":38,"line":39},[36,556,43],{"class":42},[36,558,164],{"class":46},[36,560,561],{"class":46}," edit",[36,563,564],{"class":50}," --full",[36,566,57],{"class":46},[253,568],{},"Example service:",[26,571,573],{"className":333,"code":572,"language":335,"meta":31,"style":31},"[Unit]\nDescription=Gunicorn for Flask app\nAfter=network.target\n\n[Service]\nUser=gunicorn\nGroup=www-data\nWorkingDirectory=\u002Fvar\u002Fwww\u002Fmyapp\nRuntimeDirectory=gunicorn\nRuntimeDirectoryMode=0775\nUMask=0007\nExecStart=\u002Fvar\u002Fwww\u002Fmyapp\u002Fvenv\u002Fbin\u002Fgunicorn \\\n    --workers 3 \\\n    --bind unix:\u002Frun\u002Fgunicorn\u002Fapp.sock \\\n    wsgi:app\n\n[Install]\nWantedBy=multi-user.target\n",[33,574,575,580,585,590,594,598,602,606,611,616,621,625,630,635,640,645,650,656],{"__ignoreMap":31},[36,576,577],{"class":38,"line":39},[36,578,579],{},"[Unit]\n",[36,581,582],{"class":38,"line":60},[36,583,584],{},"Description=Gunicorn for Flask app\n",[36,586,587],{"class":38,"line":91},[36,588,589],{},"After=network.target\n",[36,591,592],{"class":38,"line":104},[36,593,120],{"emptyLinePlaceholder":119},[36,595,596],{"class":38,"line":116},[36,597,438],{},[36,599,600],{"class":38,"line":123},[36,601,443],{},[36,603,604],{"class":38,"line":130},[36,605,448],{},[36,607,608],{"class":38,"line":136},[36,609,610],{},"WorkingDirectory=\u002Fvar\u002Fwww\u002Fmyapp\n",[36,612,613],{"class":38,"line":142},[36,614,615],{},"RuntimeDirectory=gunicorn\n",[36,617,618],{"class":38,"line":148},[36,619,620],{},"RuntimeDirectoryMode=0775\n",[36,622,623],{"class":38,"line":154},[36,624,453],{},[36,626,627],{"class":38,"line":159},[36,628,629],{},"ExecStart=\u002Fvar\u002Fwww\u002Fmyapp\u002Fvenv\u002Fbin\u002Fgunicorn \\\n",[36,631,632],{"class":38,"line":170},[36,633,634],{},"    --workers 3 \\\n",[36,636,637],{"class":38,"line":182},[36,638,639],{},"    --bind unix:\u002Frun\u002Fgunicorn\u002Fapp.sock \\\n",[36,641,642],{"class":38,"line":207},[36,643,644],{},"    wsgi:app\n",[36,646,648],{"class":38,"line":647},16,[36,649,120],{"emptyLinePlaceholder":119},[36,651,653],{"class":38,"line":652},17,[36,654,655],{},"[Install]\n",[36,657,659],{"class":38,"line":658},18,[36,660,661],{},"WantedBy=multi-user.target\n",[253,663],{},"This makes systemd create ",[33,666,471],{}," correctly on each start and ensures the socket is group-accessible.",[246,669,670,673,352,675],{},[249,671,672],{},"Reload systemd and restart Gunicorn",[253,674],{},[26,676,678],{"className":28,"code":677,"language":30,"meta":31,"style":31},"sudo systemctl daemon-reload\nsudo systemctl restart gunicorn\nsudo systemctl status gunicorn --no-pager\n",[33,679,680,688,698],{"__ignoreMap":31},[36,681,682,684,686],{"class":38,"line":39},[36,683,43],{"class":42},[36,685,164],{"class":46},[36,687,167],{"class":46},[36,689,690,692,694,696],{"class":38,"line":60},[36,691,43],{"class":42},[36,693,164],{"class":46},[36,695,177],{"class":46},[36,697,57],{"class":46},[36,699,700,702,704,707,709],{"class":38,"line":91},[36,701,43],{"class":42},[36,703,164],{"class":46},[36,705,706],{"class":46}," status",[36,708,80],{"class":46},[36,710,711],{"class":50}," --no-pager\n",[246,713,714,717,719,720,735,737,738,769,771,772,787,789],{},[249,715,716],{},"Validate socket ownership and mode",[253,718],{},"Check both the directory and socket:",[26,721,723],{"className":28,"code":722,"language":30,"meta":31,"style":31},"ls -lah \u002Frun\u002Fgunicorn \u002Frun\u002Fgunicorn\u002Fapp.sock\n",[33,724,725],{"__ignoreMap":31},[36,726,727,729,731,733],{"class":38,"line":39},[36,728,210],{"class":42},[36,730,213],{"class":50},[36,732,216],{"class":46},[36,734,219],{"class":46},[253,736],{},"Typical result:",[26,739,741],{"className":28,"code":740,"language":30,"meta":31,"style":31},"drwxrwxr-x 2 gunicorn www-data ...\nsrw-rw---- 1 gunicorn www-data ...\n",[33,742,743,755],{"__ignoreMap":31},[36,744,745,747,749,751,753],{"class":38,"line":39},[36,746,529],{"class":42},[36,748,532],{"class":50},[36,750,80],{"class":46},[36,752,54],{"class":46},[36,754,539],{"class":46},[36,756,757,760,763,765,767],{"class":38,"line":60},[36,758,759],{"class":42},"srw-rw----",[36,761,762],{"class":50}," 1",[36,764,80],{"class":46},[36,766,54],{"class":46},[36,768,539],{"class":46},[253,770],{},"For full path traversal debugging, run:",[26,773,775],{"className":28,"code":774,"language":30,"meta":31,"style":31},"namei -l \u002Frun\u002Fgunicorn\u002Fapp.sock\n",[33,776,777],{"__ignoreMap":31},[36,778,779,782,785],{"class":38,"line":39},[36,780,781],{"class":42},"namei",[36,783,784],{"class":50}," -l",[36,786,219],{"class":46},[253,788],{},"This often reveals a restrictive parent directory.",[246,791,792,795,797,798,812,814,815],{},[249,793,794],{},"Test and reload Nginx",[253,796],{},"Validate config:",[26,799,801],{"className":28,"code":800,"language":30,"meta":31,"style":31},"sudo nginx -t\n",[33,802,803],{"__ignoreMap":31},[36,804,805,807,809],{"class":38,"line":39},[36,806,43],{"class":42},[36,808,187],{"class":46},[36,810,811],{"class":50}," -t\n",[253,813],{},"Reload:",[26,816,818],{"className":28,"code":817,"language":30,"meta":31,"style":31},"sudo systemctl reload nginx\n",[33,819,820],{"__ignoreMap":31},[36,821,822,824,826,828],{"class":38,"line":39},[36,823,43],{"class":42},[36,825,164],{"class":46},[36,827,201],{"class":46},[36,829,204],{"class":46},[246,831,832,835,837,838,854,856,857,871,873,874,877,878,233,881,884],{},[249,833,834],{},"Retest requests through Nginx",[253,836],{},"Test locally:",[26,839,841],{"className":28,"code":840,"language":30,"meta":31,"style":31},"curl -I http:\u002F\u002F127.0.0.1\n",[33,842,843],{"__ignoreMap":31},[36,844,845,848,851],{"class":38,"line":39},[36,846,847],{"class":42},"curl",[36,849,850],{"class":50}," -I",[36,852,853],{"class":46}," http:\u002F\u002F127.0.0.1\n",[253,855],{},"Then test your public domain:",[26,858,860],{"className":28,"code":859,"language":30,"meta":31,"style":31},"curl -I https:\u002F\u002Fyour-domain.com\n",[33,861,862],{"__ignoreMap":31},[36,863,864,866,868],{"class":38,"line":39},[36,865,847],{"class":42},[36,867,850],{"class":50},[36,869,870],{"class":46}," https:\u002F\u002Fyour-domain.com\n",[253,872],{},"You should see ",[33,875,876],{},"200",", ",[33,879,880],{},"301",[33,882,883],{},"302"," instead of upstream permission errors.",[246,886,887],{},[249,888,889],{},"Check SELinux or AppArmor if permissions look correct",[14,891,892],{},"On SELinux systems:",[26,894,896],{"className":28,"code":895,"language":30,"meta":31,"style":31},"getenforce\n",[33,897,898],{"__ignoreMap":31},[36,899,900],{"class":38,"line":39},[36,901,895],{"class":42},[14,903,904],{},"On AppArmor systems:",[26,906,908],{"className":28,"code":907,"language":30,"meta":31,"style":31},"sudo aa-status\n",[33,909,910],{"__ignoreMap":31},[36,911,912,914],{"class":38,"line":39},[36,913,43],{"class":42},[36,915,916],{"class":46}," aa-status\n",[14,918,919],{},"If Unix permissions look correct but access is still denied, review policy logs.",[243,921,922],{"start":154},[246,923,924],{},[249,925,926],{},"Avoid bad socket locations",[14,928,929],{},"Do not place the socket under a restrictive app path unless you control directory traversal permissions. Prefer:",[26,931,936],{"className":932,"code":934,"language":935,"meta":31},[933],"language-text","\u002Frun\u002Fgunicorn\u002Fapp.sock\n","text",[33,937,934],{"__ignoreMap":31},[14,939,940],{},"Avoid patterns like:",[26,942,945],{"className":943,"code":944,"language":935,"meta":31},[933],"\u002Fvar\u002Fwww\u002Fmyapp\u002Fapp.sock\n\u002Fhome\u002Fdeploy\u002Fmyapp\u002Fapp.sock\n\u002Ftmp\u002Fapp.sock\n",[33,946,944],{"__ignoreMap":31},[243,948,949],{"start":159},[246,950,951],{},[249,952,953],{},"Restart services after user\u002Fgroup changes",[14,955,956],{},"If you changed group membership, restart both services so the new access model is active:",[26,958,960],{"className":28,"code":959,"language":30,"meta":31,"style":31},"sudo systemctl restart gunicorn\nsudo systemctl restart nginx\n",[33,961,962,972],{"__ignoreMap":31},[36,963,964,966,968,970],{"class":38,"line":39},[36,965,43],{"class":42},[36,967,164],{"class":46},[36,969,177],{"class":46},[36,971,57],{"class":46},[36,973,974,976,978,980],{"class":38,"line":60},[36,975,43],{"class":42},[36,977,164],{"class":46},[36,979,177],{"class":46},[36,981,204],{"class":46},[18,983,985],{"id":984},"common-causes","Common Causes",[987,988,989,995,1010,1023,1040,1046,1052,1062],"ul",{},[246,990,991,994],{},[249,992,993],{},"Nginx user cannot traverse the socket directory"," → The directory containing the socket lacks execute permission for the Nginx user\u002Fgroup → Set correct ownership and mode on the parent directory.",[246,996,997,1000,1001,1003,1004,1006,1007,406],{},[249,998,999],{},"Socket file owned by the wrong group"," → Gunicorn creates the socket with a group Nginx does not belong to → Set ",[33,1002,459],{}," in systemd to a shared group such as ",[33,1005,405],{}," and use ",[33,1008,1009],{},"UMask=0007",[246,1011,1012,1019,1020,406],{},[249,1013,1014,1015,1018],{},"Using ",[33,1016,1017],{},"\u002Ftmp"," or an app directory for the socket"," → Cleanup or restrictive permissions break access after reboot or deploy → Move the socket to ",[33,1021,1022],{},"\u002Frun\u002Fgunicorn\u002Fapp.sock",[246,1024,1025,1031,1032,1035,1036,1039],{},[249,1026,1027,1028,1030],{},"systemd recreates ",[33,1029,236],{}," without the right permissions"," → Manual fixes disappear after restart → Use ",[33,1033,1034],{},"RuntimeDirectory="," and ",[33,1037,1038],{},"RuntimeDirectoryMode="," in the unit file.",[246,1041,1042,1045],{},[249,1043,1044],{},"Nginx points to a different socket path than Gunicorn"," → Nginx reports connect permission or missing socket errors → Make both configs use the same path.",[246,1047,1048,1051],{},[249,1049,1050],{},"SELinux or AppArmor policy blocks access"," → File mode looks correct but access is denied → Check security policy logs and adjust context or profile rules.",[246,1053,1054,1057,1058,1061],{},[249,1055,1056],{},"Socket created before group membership change took effect"," → Nginx or Gunicorn still runs with old group state → Restart both services after ",[33,1059,1060],{},"usermod"," or unit changes.",[246,1063,1064,1069,1070,406],{},[249,1065,1066,1067],{},"Overly restrictive ",[33,1068,232],{}," → Gunicorn creates the socket without group access → Set ",[33,1071,1009],{},[18,1073,1075],{"id":1074},"debugging-section","Debugging Section",[14,1077,1078],{},"Check the exact failure point with these commands:",[26,1080,1082],{"className":28,"code":1081,"language":30,"meta":31,"style":31},"sudo journalctl -u gunicorn -n 100 --no-pager\nsudo tail -n 100 \u002Fvar\u002Flog\u002Fnginx\u002Ferror.log\nsystemctl cat gunicorn\nnamei -l \u002Frun\u002Fgunicorn\u002Fapp.sock\nls -lah \u002Frun\u002Fgunicorn \u002Frun\u002Fgunicorn\u002Fapp.sock\nps -eo user,group,cmd | grep 'nginx: worker'\nsudo nginx -t\nsudo systemctl restart gunicorn && sleep 1 && ls -lah \u002Frun\u002Fgunicorn\u002Fapp.sock\ncurl -I http:\u002F\u002F127.0.0.1\ngetenforce\nsudo aa-status\n",[33,1083,1084,1103,1117,1125,1133,1143,1157,1165,1190,1198,1202],{"__ignoreMap":31},[36,1085,1086,1088,1091,1094,1096,1098,1101],{"class":38,"line":39},[36,1087,43],{"class":42},[36,1089,1090],{"class":46}," journalctl",[36,1092,1093],{"class":50}," -u",[36,1095,80],{"class":46},[36,1097,393],{"class":50},[36,1099,1100],{"class":50}," 100",[36,1102,711],{"class":50},[36,1104,1105,1107,1110,1112,1114],{"class":38,"line":60},[36,1106,43],{"class":42},[36,1108,1109],{"class":46}," tail",[36,1111,393],{"class":50},[36,1113,1100],{"class":50},[36,1115,1116],{"class":46}," \u002Fvar\u002Flog\u002Fnginx\u002Ferror.log\n",[36,1118,1119,1121,1123],{"class":38,"line":91},[36,1120,322],{"class":42},[36,1122,325],{"class":46},[36,1124,57],{"class":46},[36,1126,1127,1129,1131],{"class":38,"line":104},[36,1128,781],{"class":42},[36,1130,784],{"class":50},[36,1132,219],{"class":46},[36,1134,1135,1137,1139,1141],{"class":38,"line":116},[36,1136,210],{"class":42},[36,1138,213],{"class":50},[36,1140,216],{"class":46},[36,1142,219],{"class":46},[36,1144,1145,1147,1149,1151,1153,1155],{"class":38,"line":123},[36,1146,362],{"class":42},[36,1148,365],{"class":50},[36,1150,368],{"class":46},[36,1152,372],{"class":371},[36,1154,267],{"class":42},[36,1156,377],{"class":46},[36,1158,1159,1161,1163],{"class":38,"line":130},[36,1160,43],{"class":42},[36,1162,187],{"class":46},[36,1164,811],{"class":50},[36,1166,1167,1169,1171,1173,1175,1177,1180,1182,1184,1186,1188],{"class":38,"line":136},[36,1168,43],{"class":42},[36,1170,164],{"class":46},[36,1172,177],{"class":46},[36,1174,80],{"class":46},[36,1176,194],{"class":193},[36,1178,1179],{"class":42},"sleep",[36,1181,762],{"class":50},[36,1183,194],{"class":193},[36,1185,210],{"class":42},[36,1187,213],{"class":50},[36,1189,219],{"class":46},[36,1191,1192,1194,1196],{"class":38,"line":142},[36,1193,847],{"class":42},[36,1195,850],{"class":50},[36,1197,853],{"class":46},[36,1199,1200],{"class":38,"line":148},[36,1201,895],{"class":42},[36,1203,1204,1206],{"class":38,"line":154},[36,1205,43],{"class":42},[36,1207,916],{"class":46},[14,1209,1210],{},"What to look for:",[987,1212,1213,1219,1225,1228,1234,1243],{},[246,1214,1215,1218],{},[33,1216,1217],{},"connect() to unix:\u002F... failed (13: Permission denied)"," in Nginx logs",[246,1220,1221,1224],{},[33,1222,1223],{},"bind: permission denied"," or startup failures in Gunicorn logs",[246,1226,1227],{},"mismatch between Nginx socket path and Gunicorn bind path",[246,1229,1230,1231],{},"directory traversal failures in ",[33,1232,1233],{},"namei -l",[246,1235,1236,1237,1239,1240],{},"wrong owner\u002Fgroup on ",[33,1238,471],{}," or ",[33,1241,1242],{},"app.sock",[246,1244,1245,1246,877,1249,233,1252,1254],{},"missing ",[33,1247,1248],{},"RuntimeDirectory",[33,1250,1251],{},"Group",[33,1253,232],{}," in the unit file",[14,1256,1257,1258,1263,1264,406],{},"If Gunicorn does not start at all, also check ",[1259,1260,1262],"a",{"href":1261},"\u002Ffix-issues\u002Fflask-gunicorn-service-failed-to-start","Flask Gunicorn Service Failed to Start",". If Nginx cannot reach Gunicorn for non-permission reasons, see ",[1259,1265,1267],{"href":1266},"\u002Ffix-issues\u002Ffix-nginx-not-connecting-to-gunicorn-connection-refused","Fix: Nginx Not Connecting to Gunicorn (Connection Refused)",[18,1269,1271],{"id":1270},"checklist","Checklist",[987,1273,1276,1285,1291,1305,1311,1321,1330],{"className":1274},[1275],"contains-task-list",[246,1277,1280,1284],{"className":1278},[1279],"task-list-item",[1281,1282],"input",{"disabled":119,"type":1283},"checkbox"," Nginx and Gunicorn use the exact same Unix socket path.",[246,1286,1288,1290],{"className":1287},[1279],[1281,1289],{"disabled":119,"type":1283}," The socket parent directory exists and is accessible by the Nginx worker user\u002Fgroup.",[246,1292,1294,1296,1297,877,1300,1302,1303,406],{"className":1293},[1279],[1281,1295],{"disabled":119,"type":1283}," The Gunicorn systemd unit sets the correct ",[33,1298,1299],{},"User",[33,1301,1251],{},", and ",[33,1304,232],{},[246,1306,1308,1310],{"className":1307},[1279],[1281,1309],{"disabled":119,"type":1283}," The socket file is owned by the Gunicorn user and a group Nginx can access.",[246,1312,1314,1316,1317,1320],{"className":1313},[1279],[1281,1315],{"disabled":119,"type":1283}," ",[33,1318,1319],{},"systemctl restart gunicorn"," recreates the socket successfully.",[246,1322,1324,1316,1326,1329],{"className":1323},[1279],[1281,1325],{"disabled":119,"type":1283},[33,1327,1328],{},"nginx -t"," passes and Nginx reloads without errors.",[246,1331,1333,1335,1336,1339],{"className":1332},[1279],[1281,1334],{"disabled":119,"type":1283}," Requests through Nginx no longer return ",[33,1337,1338],{},"502"," or upstream permission errors.",[18,1341,1343],{"id":1342},"related-guides","Related Guides",[987,1345,1346,1352,1356,1360],{},[246,1347,1348],{},[1259,1349,1351],{"href":1350},"\u002Fdeploy\u002Fdeploy-flask-with-nginx-plus-gunicorn-step-by-step-guide","Deploy Flask with Nginx + Gunicorn (Step-by-Step Guide)",[246,1353,1354],{},[1259,1355,1267],{"href":1266},[246,1357,1358],{},[1259,1359,1262],{"href":1261},[246,1361,1362],{},[1259,1363,1365],{"href":1364},"\u002Fchecklist\u002Fflask-production-checklist-everything-you-must-do","Flask Production Checklist (Everything You Must Do)",[18,1367,1369],{"id":1368},"faq","FAQ",[14,1371,1372,1378,1380],{},[249,1373,1374,1375,1377],{},"Q: What does ",[33,1376,1217],{}," mean?",[253,1379],{},"\nA: Nginx found the socket path but cannot access the socket file or one of its parent directories due to permission or security policy restrictions.",[14,1382,1383,1390,1392,1393,1395],{},[249,1384,1385,1386,1389],{},"Q: Is changing the socket to mode ",[33,1387,1388],{},"777"," a good fix?",[253,1391],{},"\nA: No. It is insecure and usually unnecessary. Use the correct shared group, parent directory permissions, and systemd ",[33,1394,232],{}," instead.",[14,1397,1398,1405,1407,1408,1410],{},[249,1399,1400,1401,1404],{},"Q: Why use ",[33,1402,1403],{},"RuntimeDirectory=gunicorn"," in systemd?",[253,1406],{},"\nA: It makes systemd create ",[33,1409,471],{}," automatically on service start with predictable ownership and permissions.",[14,1412,1413,1416,1418,1419,1422],{},[249,1414,1415],{},"Q: Can I avoid socket permission problems entirely?",[253,1417],{},"\nA: Yes. You can bind Gunicorn to ",[33,1420,1421],{},"127.0.0.1:8000"," and proxy to TCP from Nginx, though Unix sockets are still a common production choice on single-host deployments.",[18,1424,1426],{"id":1425},"final-takeaway","Final Takeaway",[14,1428,1429],{},"Gunicorn socket permission errors are usually access-control mismatches, not application bugs. Fix the socket path, parent directory permissions, systemd user\u002Fgroup\u002Fumask, and runtime directory creation, then validate with logs and file permission checks.",[1431,1432,1433],"style",{},"html pre.shiki code .sScJk, html code.shiki .sScJk{--shiki-default:#6F42C1;--shiki-dark:#B392F0}html pre.shiki code .sZZnC, html code.shiki .sZZnC{--shiki-default:#032F62;--shiki-dark:#9ECBFF}html pre.shiki code .sj4cs, html code.shiki .sj4cs{--shiki-default:#005CC5;--shiki-dark:#79B8FF}html pre.shiki code .sJ8bj, html code.shiki .sJ8bj{--shiki-default:#6A737D;--shiki-dark:#6A737D}html pre.shiki code .sVt8B, html code.shiki .sVt8B{--shiki-default:#24292E;--shiki-dark:#E1E4E8}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html pre.shiki code .szBVR, html code.shiki .szBVR{--shiki-default:#D73A49;--shiki-dark:#F97583}",{"title":31,"searchDepth":60,"depth":60,"links":1435},[1436,1437,1438,1439,1440,1441,1442,1443,1444],{"id":20,"depth":60,"text":21},{"id":225,"depth":60,"text":226},{"id":240,"depth":60,"text":241},{"id":984,"depth":60,"text":985},{"id":1074,"depth":60,"text":1075},{"id":1270,"depth":60,"text":1271},{"id":1342,"depth":60,"text":1343},{"id":1368,"depth":60,"text":1369},{"id":1425,"depth":60,"text":1426},"Complete guide on gunicorn socket permission denied (fix guide) for Flask production environments.","md",{"ogTitle":5,"ogDescription":1445,"twitterCard":1448,"robots":1449,"canonical":1450},"summary_large_image","index, follow","https:\u002F\u002Fflask-deployment.com\u002Ffix-issues\u002Fgunicorn-socket-permission-denied-fix-guide","\u002Ffix-issues\u002Fgunicorn-socket-permission-denied-fix-guide",{"title":5,"description":1445},"fix-issues\u002Fgunicorn-socket-permission-denied-fix-guide","y1PaGuvlWjq4p0wkCu6gKgpsmrsOPdwMHQ7RpBNy9vY",1776805765051]