Best way to set up permissions with nginx + php-fpm on shared hosting?

Question

I'm running a shared hosting server with nginx and php-fpm on Debian.

Everything works fine, php-fpm has separate pools for each users running as separate users and they each have their own socks.

Nginx is however running as www-data because I don't want to have separate nginx processes for each user.

This means that in order for nginx to have access to the users data, the permissions of /home have to be drwxr-x--x. The problem is, all users have access to other users files.

What would be the best way to give nginx access to the users files without giving other users access. Running nginx as root is not an option. But would AppArmor help?

Michael Hampton · Accepted Answer · 2015-07-05T21:49:53.367

6

I prefer to use ACLs for this. For instance:

setfacl -R -m user:www-data:rx,d:user:www-data:rx /home

Gives the www-data user access to read files and traverse directories under /home, and applies the same ACL to any new files or directories created later.

Once applied, user home directories no longer have to be world-executable, (e.g. chmod o= /home/$USER) thus users can no longer read each other's files, but nginx can.

Note that if some directories need to be writable by the web server, you can set those up on a case by case basis by changing both instances of the permissions rx to rwx. For example:

setfacl -R -m user:www-data:rwx,d:user:www-data:rwx /home/user/public_html/wp-content/{cache,uploads}

edited Jul 05 '15 at 21:49

answered Mar 05 '13 at 13:01

Michael Hampton

244,070
43
506
972

Wow, that was quick. Thanks, that works perfectly! – dBi Mar 05 '13 at 13:16
exactly what I have been looking for! thank you very much – Aitch Jul 05 '15 at 21:40
But the php command: exec("cat ../../../hasanmerkit/a.txt",$array); is allow to read other user files... – Hasan Merkit May 24 '23 at 12:51

Best way to set up permissions with nginx + php-fpm on shared hosting?

1 Answers1

Linked