PHP-FPM + Laravel + Nginx + Ubuntu permission

I tried to search about this question before, but there seems to be nowhere where it is explained thoroughly, mostly only pieces of problem such as app/storage permission has not been set so webserver can write file, but my problem seems bigger and more fundamental, I hope someone can explain thoroughly how this should be setup, preferably without needing to set permission to 777.

So my stack is Ubuntu 14.04, PHP 5.6 with PHP-FPM because I use nginx 1.4.6 and I use Laravel 4.2 as framework, ow and one more I use Git as my versioning tool. So what is the necessary step-by-step to allow the following:

1. Setting the initial project, Git and Nginx:

   So as far as I know, Nginx is set up to use username www-data as default right? Does it means that I have to assign my user e.g. kevin to the group www-data? When I am initialize git, create the project using composer, set up SSH public/private key, do I need to belong to the group www-data or I have to be sudo or what? In my production server, I tried using sudo for setting up everything somehow it makes it easier to do all the thing above, but is it the best practice?

2. Making app/storage writable for webserver:

   I think this is the second and most vital for Laravel, because unless this works Laravel won't be running, my knowledge is that this folder has to be writable by the webserver (nginx), so I need to set this to sudo chown -R www-data:www-data app/storage and sudo chmod -R 664 app/storage right? But somehow this doesn't seem to work all the time because during my development sometimes it will tell that a cache of a view cannot be written into the app/storage folder, so in the end I has to set it to 777 or 775 if I'm lucky.

3. Public folder, or place of my assets

   Here I have some inconsistency too, I have set it up at the end to 777 to ensure that all my files can be accessed by nginx. Sometimes nginx will tell me that some image in my asset folder seems to be forbidden and it will only return HTTP 200 if I either set to 777 or change the group to www-data:www-data, do I have to change the permission or group for every image that I created from Gimp, Photoshop, or when I downloaded from Dropbox or from my email when my graphic designer design new icons?

4. File Upload

   So somewhere around the time, people will be able to upload for example their profile picture, or when I post a blog I can upload a picture, it means that at some point the file upload script will move the file from the /tmp folder to my public folder, it may need to only write into a subdirectory in public or maybe sometimes it needs to create a folder based on a certain id and move the file into the directory, most of time I will get an error that the directory seems not to be writable or some permission error as such during of the execution of the script. Does this mean that the PHP process has to be run with certain permission too? Or does it mean that the directory has to have a certain permission? Does this problem relate to the Nginx service or does it relate to the PHP process?

   I have the experience to use packages such as roumen/sitemap or jlapp/swaggervel, they seems to use the same Facade File, but somehow they don't have any problem with permission, I try to replicate their code behaviour but I hit the problem above.

5. Queue, Artisan, other Command-Line based executed script

   Last, are Command-Line based executed script, does this behave the same as script that executed from interaction with webserver, such as the file upload above, or do I need to prepare for other inconsistencies?

Thank you, if someone can explain this to me. I think if I figure it out, I will create a blog post or something, appreciate it guys! :D

Just a quick follow-up question, webserver (nginx) will normally be operating under the user www-data and group www-data right? Hence any folder in the laravel directory that will be assigned to group www-data and have the permission of 775 will be writable by webserver. Right?

@Kevin Second "7" in 775 means readable, writeable and executable by group and group is www-data, so www-data group members (nginx) are permitted to write to such folder.

Okay thanks, I kinda get the concept before, but sometimes during development something went awry. I actually also follow the installation from your link before. It went fine at first initial setup, I guess I need to wrap my mind around this stuff again from the basic. I found it new though that file (e.g.profile picture) which is uploaded should be save in storage, I thought those file should not be accessible from outside, but some stuff does make sense to be put it there directly. Thanks for your reply. I really appreciate it.

@Kevin app/storage (in Laravel 4) or storage (in Laravel 5) folders are not accessible from outside. Only public folder is. Staff, which is in storage area, is brought to users using your code. They don't access this area directly. And safety of this operation depends on quality of your code. I think you should deeply read Laravel documentation.

yeah I know, that's why it won't be trivial for file upload such as profile picture