How to validly set permissions for nginx and php-fpm?

A

Anton V.2020-05-23 22:42:25

linux

Anton V., 2020-05-23 22:42:25

Good afternoon!

By default, nginx and php-fpm user is www-data
Accordingly, files in the site folder must belong to the www-data user or the www-data group

But if I go to the site folder as the jack user and create a file or folder, or run git pull, then accordingly created has a user and group jack. Well, nginx does not have access.

Let's say I have a working user jack
I can assign the owner and group jack to the site folder and add www-data to the jack group and it seems to be a solution. But php-fpm will create files under www-data and somehow some of the files will be with different owners.

How can I not figure out how to work with this correctly?

I would be grateful if you share your experience.

Thanks

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

S

Sanes, 2020-05-23
@Sanes

Nginx has nothing to do with it. This is configured in the PHP-FPM pool.

php-fpm

[{{ username }}]
user = {{ username }}
group = {{ username }}
listen = /var/run/php/php{{ php }}-fpm-{{ username }}.sock
listen.owner = www-data
listen.group = www-data
pm = dynamic
pm.max_children = 5
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 3
chdir = /
;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f [email protected]
;php_flag[display_errors] = off
php_admin_value[error_log] = /var/www/{{ username }}/logs/fpm-php.{{ username }}.log
;php_admin_flag[log_errors] = on
;php_admin_value[memory_limit] = 32M
php_admin_value[upload_max_filesize] = 100M
php_admin_value[post_max_size] = 100M
php_admin_value[open_basedir] = /var/www/{{ username }}/
php_admin_value[disable_functions] = exec,passthru,shell_exec,system,proc_open,popen,curl_multi_exec,parse_ini_file,show_source,stream_set_write_buffer,stream_socket_sendto,highlight_file,com_load_typelib
php_admin_value[upload_tmp_dir] = /var/www/{{ username }}/tmp
php_admin_value[soap.wsdl_cache_dir] = /var/www/{{ username }}/tmp

Nginx

server {
  listen 80;
  #listen [::]:80 default_server ipv6only=on;

  root /var/www/{{ username }}/www;
  index index.php index.html index.htm;

  server_name {{ domain }};

  location / {
    try_files $uri $uri/ =404;
        if (!-e $request_filename) {
        rewrite ^/(.*)$ /index.php?q=$1 last;
      }
  }

  location ~ \.php$ {
    include snippets/fastcgi-php.conf;
    fastcgi_split_path_info ^(.+\.php)(/.+)$;
    fastcgi_pass unix:/run/php/php{{ php }}-fpm-{{ username }}.sock;
    include fastcgi_params;
  }
  client_max_body_size 100M;
}

A

Andrey, 2020-05-25
@VladimirAndreev

1. All files and folders from the user jack:jack, with rights 644 for files and 755 for directories.
2. All directories where the site can write - create from the user www-data:Jack, with the same rights.
In general, where the site should write - from www-data, where it should not - rights should not be at the file system level.