Home / server / Questions / 521973
Accepted
Ade
Asked: 2013-07-10 08:21:24 +0800 CST

Still confused by Permissions - linux, nginx, php-fpm

  • 772

I have read the canonical answer at What permissions should my website files/folders have on a Linux webserver?

However I'm still stuck. My setup is:

  • A developer user 'ade' who owns the directories and files that comprise a website
  • The server is nginx with php-fpm via a socket: fastcgi_pass unix:/tmp/php5-fpm.sock;
  • Website contains an uploads directory that must be writable by PHP when running in this configuration
  • I don't want to set permissions to 777, obviously

I have created a webadmin group and added both 'ade' and nginx to it:

$ groups ade
ade : ade webadmin

$ groups nginx
nginx : nginx webadmin

I have set the owner of everything in the site to be me and the webadmin group: chown ade:webadmin *

...as you can see:

drwxrwxr-x 2 ade webadmin 4096 Jul  3 13:58 logs
drwxrwxr-x 5 ade webadmin 4096 Jul  4 08:35 public
drwxrwxr-x 4 ade webadmin 4096 Jul  3 16:18 system
drwxrwsr-x 2 ade webadmin 4096 Jul  9 16:13 uploads

However despite the permissions of uploads being 775 (rwx for both user and group) nginx and php cannot write to the folder. Only if I set it to 777 can it upload images to it.

I saw the advice about using chmod u+w in the above canonical answer but don't understand why this is necessary.

nginx

2 Answers

  1. Solved:

    php-fpm doesn't run as the nginx user of course. It can be configured (in CentOS) in the file /etc/php-fpm.d/www.conf. I edited its config by adding line 45:

    44  ;group = nobody
45  group = webadmin

    Then restarted it:

    sudo /etc/init.d/php-fpm restart
    • 5
  2. Best Answer

    The most sensible approach I came up with was this:

    Look at /etc/php-fpm.d/www.conf what is the user that FPM uses. In my case it was 'apache'. Then I added this user to 'nginx' group.

    And now I can control permissions in a consistent manner - user is me and I have full permission, group is 'nginx', which has read (and r+x for dirs), and it's consistent so both web content (accessed by nginx) and PHP (accessed by php-fpm) is set by the group 'nginx'.

    Another good reason not to change the user or group in the php-fpm configuration is to avoid dealing with a fallout of permission issues - php-fpm created various folders/files using its previous user. And now it can't access them since no longer uses the same user. For example PHP session data (see /var/lib/php/session).

    I hope this helps!

    • 1