Skip to main content

@The Lazy Admin Club

Imagine this scenario:

I have a php driven website (eg wordpresss). The webserver runs as user www-root and a php-fpm pool is set up that runs under user:group site1:site1.

Does www-data still need access to the files or can I set my file permissions for the website directory based purely on user site1?

It depends - is the webserver going to be accessing any of the files directly? In many cases you'll still have some kind of static file access that the webserver is going to need access to.

I was thinking from a security perspective. It doesn't seem good practice to have multiple sites all writable by the same user. So if the webserver still needs read access then maybe a chown site1:www-data and a chmod 640 would be most suitable (unless it needs to be public readable)?

or alternatively, chown site1:site1, chmod 640, and add www-data to the site1 group. I've just read that if it's an upload directory, then the webserver will also need write access. But surely if it's a php driven site, uploads are going to be performed via a php script so its the pool user that requires write permissions?

I would generally try to have as little writable as possible by either the FPM user or the web server. I was going to suggest exactly what you mentioned in your last comment about adding the web server user to the user's group. You could also add the FPM user to the user's group, too.

And I say this in the 'general' sense because in the case of my friendica node, for example, that's the only purpose of the server, so the FPM instance runs as the user who owns all of the Friendica code. nginx doesn't have any special permission or group access, so things have to be world readable for it.