Still confused by Permissions - linux, nginx, php-fpm
Solution 1
The most sensible approach I came up with was this:
Look at /etc/php-fpm.d/www.conf what is the user that FPM uses. In my case it was 'apache'. Then I added this user to 'nginx' group.
And now I can control permissions in a consistent manner - user is me and I have full permission, group is 'nginx', which has read (and r+x for dirs), and it's consistent so both web content (accessed by nginx) and PHP (accessed by php-fpm) is set by the group 'nginx'.
Another good reason not to change the user or group in the php-fpm configuration is to avoid dealing with a fallout of permission issues - php-fpm created various folders/files using its previous user. And now it can't access them since no longer uses the same user. For example PHP session data (see /var/lib/php/session).
I hope this helps!
Solution 2
Solved:
php-fpm doesn't run as the nginx user of course. It can be configured (in CentOS) in the file /etc/php-fpm.d/www.conf
. I edited its config by adding line 45:
44 ;group = nobody
45 group = webadmin
Then restarted it:
sudo /etc/init.d/php-fpm restart
Related videos on Youtube
Ade
Ade is an independent designer, developer and technical consultant. He was previously the Technical Director at Milk Student Planner, and Technical Partner at digital production studio Pirata London.
Updated on September 18, 2022Comments
-
Ade almost 2 years
I have read the canonical answer at What permissions should my website files/folders have on a Linux webserver?
However I'm still stuck. My setup is:
- A developer user 'ade' who owns the directories and files that comprise a website
- The server is nginx with php-fpm via a socket:
fastcgi_pass unix:/tmp/php5-fpm.sock;
- Website contains an uploads directory that must be writable by PHP when running in this configuration
- I don't want to set permissions to 777, obviously
I have created a
webadmin
group and added both 'ade' and nginx to it:$ groups ade ade : ade webadmin $ groups nginx nginx : nginx webadmin
I have set the owner of everything in the site to be me and the webadmin group:
chown ade:webadmin *
...as you can see:
drwxrwxr-x 2 ade webadmin 4096 Jul 3 13:58 logs drwxrwxr-x 5 ade webadmin 4096 Jul 4 08:35 public drwxrwxr-x 4 ade webadmin 4096 Jul 3 16:18 system drwxrwsr-x 2 ade webadmin 4096 Jul 9 16:13 uploads
However despite the permissions of uploads being 775 (rwx for both user and group) nginx and php cannot write to the folder. Only if I set it to 777 can it upload images to it.
I saw the advice about using
chmod u+w
in the above canonical answer but don't understand why this is necessary.-
SunSparc almost 11 yearsDo you see any errors in the logs? What are the permissions and ownership of the parent directory for
uploads
? -
Zoredache almost 11 yearsWhat users is php-fpm running as? Have you made sure that user has access?
-
Ade almost 11 years@Zoredache - Thanks - yes of course that's a different process. I set the group to webadmin (didn't know you could do that) and it's solved the problem.
-
Zoredache almost 11 yearsYou should self-answer your question with details about what you have changed.
-
Ade almost 11 years@Zoredache yes, just did - thanks a lot. The fact that it's a socket connection should have made it obvious to me that it's running as a separate process rather than under nginx (as PHP does with mod_php in Apache)