Nginx refuses to read new directory in /home

centos6nginxpermissionsphp-fpm

I'm on CentOS6.6, installed "Akeneo" and all went well.

Installed into /home/pim so the actual location for nginx to use is the web directory where app.php is located.

Doing a namei on /home/pim/web/app.php shows:

f: /home/pim/web/app.php
dr-xr-xr-x root  root  /
drwxr-xr-x nginx nginx home
drwxrwxrwx nginx nginx pim
drwxr-xr-x nginx nginx web
-rwxrwxr-x nginx nginx app.php

Nginx is using:

user nginx nginx;
worker_processes  4;

And PHP-FPM is using:

listen.owner = nginx
listen.group = nginx
listen.mode = 0660

; Unix user/group of processes
user = nginx
group = nginx

Anyonan idea on why this isn't working? I've been playing for hours with the permissions now. Hope someone can point me in the right direction.

Best Answer

If SELinux is in Enforcing mode, it won't let you do that... Try changing this boolean to true:

setsebool -P httpd_enable_homedirs on

Please note, I don't recommend disabling SELinux!
There are many tools out there which can help you use SELinux to secure your system.

Please see the CentOS documentation here: http://wiki.centos.org/HowTos/SELinux
Also, check out my favorite video on the topic: SELinux For Mere Mortals

Related Solutions

Nginx – Why WordPress Loads Blank Pages on Nginx and PHP-FPM

By default the Nginx source does not define SCRIPT_FILENAME in the fastcgi_params file, so unless the repo you installed Nginx from does that you need to do it yourself.

Check if the following line is in your fastcgi_params file:

fastcgi_param  SCRIPT_FILENAME    $document_root$fastcgi_script_name;

and if not then add it.

Read only permissions on some Linux logs

If you provide read permission for the user to the logs directory, this does not ensure that the user has read permission (or any other permission) to the files inside it. You need to provide read permission for this user to each log file separately. Most probably, this is the reason you need to add the reader to the specified groups, it is because those groups have group permission to the log files in question. You can ensure that by running

ls -l

in the logs folder and check in which group each file belongs to.

In your scenario, the most correct way to achieve what you ask is by setting ACLs, which is the strongest unix tool for the job.

Have a look at "ACL: Using Access Control Lists on Linux", it is a big blog post but it describes all the steps perfectly and simply enough to get the feeling.

If you need a more quick-n-dirty solution (which I DO NOT recommend, unless you are not in a production environment), you can just take your user out of every group, and then set the 'Others' permission set to r--, (or xx4 for your chmod octal representation).

EDIT: I ignored the fact that you're trying to do this this on a chrooted environment. In this case, symlinks will not work with ftp (or sftp for that matter) due to the nature of symlinks themselves. A nice explanation lies here, although it seems that I tend to link only big articles.

Nevertheless, you can somewhat achieve the same behavior using mount --bind, which will make the log directory available inside the home dir of the logger user:

mount --bind /var/log /home/logger/logs/

And this will provide you with a logs directory containing everything found inside /var/log. From that point, you can allow the logger group read access only to the specific logs you want and nothing else, so that he won't be able to read e.g. /var/log/auth.log etc. Don't forget to add access to the respective parent folders, because otherwise your user will only be able to access the logs by typing in the full path, which can be sometimes frustrating.

Best Answer

Related Solutions

Nginx – Why WordPress Loads Blank Pages on Nginx and PHP-FPM

Read only permissions on some Linux logs

Related Topic