7

I have read the canonical answer at What permissions should my website files/folders have on a Linux webserver?

However I'm still stuck. My setup is:

  • A developer user 'ade' who owns the directories and files that comprise a website
  • The server is nginx with php-fpm via a socket: fastcgi_pass unix:/tmp/php5-fpm.sock;
  • Website contains an uploads directory that must be writable by PHP when running in this configuration
  • I don't want to set permissions to 777, obviously

I have created a webadmin group and added both 'ade' and nginx to it:

$ groups ade
ade : ade webadmin

$ groups nginx
nginx : nginx webadmin

I have set the owner of everything in the site to be me and the webadmin group: chown ade:webadmin *

...as you can see:

drwxrwxr-x 2 ade webadmin 4096 Jul  3 13:58 logs
drwxrwxr-x 5 ade webadmin 4096 Jul  4 08:35 public
drwxrwxr-x 4 ade webadmin 4096 Jul  3 16:18 system
drwxrwsr-x 2 ade webadmin 4096 Jul  9 16:13 uploads

However despite the permissions of uploads being 775 (rwx for both user and group) nginx and php cannot write to the folder. Only if I set it to 777 can it upload images to it.

I saw the advice about using chmod u+w in the above canonical answer but don't understand why this is necessary.

Community
  • 1
Ade
  • 699
  • 3
  • 10
  • 21
  • Do you see any errors in the logs? What are the permissions and ownership of the parent directory for `uploads`? – SunSparc Jul 09 '13 at 16:32
  • 3
    What users is php-fpm running as? Have you made sure that user has access? – Zoredache Jul 09 '13 at 16:44
  • @Zoredache - Thanks - yes of course that's a different process. I set the group to webadmin (didn't know you could do that) and it's solved the problem. – Ade Jul 09 '13 at 17:30
  • You should self-answer your question with details about what you have changed. – Zoredache Jul 09 '13 at 17:33
  • @Zoredache yes, just did - thanks a lot. The fact that it's a socket connection should have made it obvious to me that it's running as a separate process rather than under nginx (as PHP does with mod_php in Apache) – Ade Jul 09 '13 at 17:39

2 Answers2

5

Solved:

php-fpm doesn't run as the nginx user of course. It can be configured (in CentOS) in the file /etc/php-fpm.d/www.conf. I edited its config by adding line 45:

44  ;group = nobody
45  group = webadmin

Then restarted it:

sudo /etc/init.d/php-fpm restart
Ade
  • 699
  • 3
  • 10
  • 21
1

The most sensible approach I came up with was this:

Look at /etc/php-fpm.d/www.conf what is the user that FPM uses. In my case it was 'apache'. Then I added this user to 'nginx' group.

And now I can control permissions in a consistent manner - user is me and I have full permission, group is 'nginx', which has read (and r+x for dirs), and it's consistent so both web content (accessed by nginx) and PHP (accessed by php-fpm) is set by the group 'nginx'.

Another good reason not to change the user or group in the php-fpm configuration is to avoid dealing with a fallout of permission issues - php-fpm created various folders/files using its previous user. And now it can't access them since no longer uses the same user. For example PHP session data (see /var/lib/php/session).

I hope this helps!

justabuzz
  • 126
  • 3