1

Is there a way in which nginx/php can be configured so it creates files with a specific user.

For example when a drupal/wordpress site uploads a file the user is assigned like: john:www-data

nginx.conf does have a user, but from what I understand this only changes the user nginx uses on the system.

jamboNum5
  • 361
  • 1
  • 2
  • 10

2 Answers2

1

There is no way to do that. PHP is run by PHP-FPM process, which runs as a specific user. The files created are owned by that user.

Only the superuser can change the owner of the file, and it is not safe to run PHP-FPM process with the superuser privileges.

Your only option of changing the ownership status of files uploaded by the process, is to change the user you run PHP-FPM as.

Tero Kilkanen
  • 36,796
  • 3
  • 41
  • 63
1

As Tero has suggested, you would need to change the user of your php-fpm process responsible for hosting the site you'd like to affect.

PHP-FPM has "pools" and I think most administrators will typically have one pool per site hosted. So, if you're hosting example.com and another-example.com, you could have two php-fpm pools that each run their respective site. The benefit of different pools is that you can define configuration for each separately (and thus run the processes as different users/groups).

You didn't specify your distribution/config, so I can only tell you that your pool config files are probably located at /etc/php-fpm.d/*.conf. So, you could have /etc/php-fpm.d/example.com.conf with:

[example.com]
user = john
group = www-data
...

And then another pool /etc/php-fpm.d/another-example.com.conf with:

[another-example.com]
user = sally
group = www-data
...

The php-fpm configs are in INI format, and what I posted is only the relevant user/group directives. There are more configuration options necessary for a proper pool definition. See the "List of Pool directives" section on this page for more information on that.

You will need to restart your php-fpm service to make pool changes effective. You can test your configuration before restarting (and thus avoid possible downtime) with php-fpm -t on most systems. I think some distributions use php5-fpm -t.

Lastly, yes, as you said, the nginx.conf user/group directives only affect Nginx. PHP-FPM runs as a separate process, more or less independent of Nginx.

ldennison
  • 163
  • 1
  • 7
  • Great answer, this seems like the best solution, do you know if there are any security issues with this method? – jamboNum5 Jun 24 '15 at 08:50
  • @Fyberoptik Well, security is a broad topic, but this approach (i.e. separating you sites with different PHP pools with different users) isolates each site more than have a single generic user for your entire server. So, assuming you set your site file permissions appropriately, this would be a more secure approach. Some things, though, like Opcache are shared across pools. Thus, you gain security and isolation, but it is not absolute (and never will be theoretically). I don't know of any security _disadvantages_ to this method, though. – ldennison Jun 25 '15 at 03:22