I have read the canonical answer at What permissions should my website files/folders have on a Linux webserver?
However I'm still stuck. My setup is:
- A developer user 'ade' who owns the directories and files that comprise a website
- The server is nginx with php-fpm via a socket:
fastcgi_pass unix:/tmp/php5-fpm.sock; - Website contains an uploads directory that must be writable by PHP when running in this configuration
- I don't want to set permissions to 777, obviously
I have created a webadmin group and added both 'ade' and nginx to it:
$ groups ade
ade : ade webadmin
$ groups nginx
nginx : nginx webadmin
I have set the owner of everything in the site to be me and the webadmin group: chown ade:webadmin *
…as you can see:
drwxrwxr-x 2 ade webadmin 4096 Jul 3 13:58 logs
drwxrwxr-x 5 ade webadmin 4096 Jul 4 08:35 public
drwxrwxr-x 4 ade webadmin 4096 Jul 3 16:18 system
drwxrwsr-x 2 ade webadmin 4096 Jul 9 16:13 uploads
However despite the permissions of uploads being 775 (rwx for both user and group) nginx and php cannot write to the folder. Only if I set it to 777 can it upload images to it.
I saw the advice about using chmod u+w in the above canonical answer but don't understand why this is necessary.
Best Answer
The most sensible approach I came up with was this:
Look at /etc/php-fpm.d/www.conf what is the user that FPM uses. In my case it was 'apache'. Then I added this user to 'nginx' group.
And now I can control permissions in a consistent manner - user is me and I have full permission, group is 'nginx', which has read (and r+x for dirs), and it's consistent so both web content (accessed by nginx) and PHP (accessed by php-fpm) is set by the group 'nginx'.
Another good reason not to change the user or group in the php-fpm configuration is to avoid dealing with a fallout of permission issues - php-fpm created various folders/files using its previous user. And now it can't access them since no longer uses the same user. For example PHP session data (see /var/lib/php/session).
I hope this helps!