Skip to main content

@The Lazy Admin Club

Imagine this scenario:

I have a php driven website (eg wordpresss). The webserver runs as user www-root and a php-fpm pool is set up that runs under user:group site1:site1.

Does www-data still need access to the files or can I set my file permissions for the website directory based purely on user site1?

It depends - is the webserver going to be accessing any of the files directly? In many cases you'll still have some kind of static file access that the webserver is going to need access to.

I was thinking from a security perspective. It doesn't seem good practice to have multiple sites all writable by the same user. So if the webserver still needs read access then maybe a chown site1:www-data and a chmod 640 would be most suitable (unless it needs to be public readable)?

or alternatively, chown site1:site1, chmod 640, and add www-data to the site1 group. I've just read that if it's an upload directory, then the webserver will also need write access. But surely if it's a php driven site, uploads are going to be performed via a php script so its the pool user that requires write permissions?

I would generally try to have as little writable as possible by either the FPM user or the web server. I was going to suggest exactly what you mentioned in your last comment about adding the web server user to the user's group. You could also add the FPM user to the user's group, too.

And I say this in the 'general' sense because in the case of my friendica node, for example, that's the only purpose of the server, so the FPM instance runs as the user who owns all of the Friendica code. nginx doesn't have any special permission or group access, so things have to be world readable for it.

A successful day playing with the server. Now have Nginx with modsecurity, geoip2, brotli, and openssl1.1.1 support. The OWASP core ruleset seems to be playing nicely with my wordpress site at the moment... all pages loading fine and no whitelisting or exclusions needed yet. I've yet to log into the backend though. When I have my free time back after the weekend, I'll have a go applying it to the #friendica site

#nginx #modsecurity

Just doing a bit of reading at the moment on Mariadb transactional isolation levels, and wondered what the recommended choice is for a Friendica system? It seems that most popular database systems are set to READ COMMITED by default, but not mysql which is set to READ REPEATABLE.

#friendica #mysql #mariadb

@Michael Vogel Any ideas on this? Or doesn't it really matter either way? Reason I ask is that I'm also hosting Nextcloud, and the guide I'm reading for that installation advises that I change to READ COMMITED. I was wondering if I should change it for that site only, or whether to change the actual mysql default.

I guess that READ COMMITED is faster, but I haven't tested it out.

Just watched Velvet Buzzsaw. Classic 5/10 movie... interesting enough to see through to the end, forgettable enough that I won't remember a thing about it by tomorrow morning.


So I've started documenting everything I've done on my server to get it where it is...mainly because I've decided to start again from scratch when I eventually move to a dedicated server. The mail server section is long. Very long. Can't really publish it either at the mo as there's far too much plagiarism :) More for my own reference until I find the time to rewrite it all in my own words. It's basically many already existing tutorials merged together with a few tweaks where I've fixed things or implemented it slightly differently. It describes setting up postfix, dovecot, sieve, postfixadmin, along with securing it, strengthening it against spam, and integrating it with rspamd and clamav (with extra 3rd party signatures). All based on Ubuntu 18.04. I suspect that the next document I write describing MariaDB, PHP-FPM, Apache backend, Nginx reverse proxy, and Varnish is going to be longer still. Good job I find it interesting!

#vps #postfix #selfhosted #documentation

#news #bioplastic #sustainability

Part 2:
The Framingham Heart Study, Part 2: The Framingham Observation

Part 3:
The Framingham Heart Study, Part 3: Framingham’s Presentational Flaws—Bias or Fraud?

#health #heartdisease #cholesterol

The data clearly showed no relation between dietary intake of either fat or cholesterol and the subjects’ level of cholesteremia (cholesterol in the blood) or their experience of CHD. Those data were never properly published because the findings were contrary to the position held by the NHLBI.
Exactly. Fake science.

It's a good article, but I think he missed the cover-up of the real cause of heart disease- sugar. And they still don't get it. But the effect is the same- lower the total cholesterol in the body, and you lower it mostly in the brain - which is something like 27% cholesterol. Low cholesterol levels in the brain increase the risk of Alzheimers. The body actually needs cholesterol.

Interesting. I always thought there was something weird with their analysis from what I heard about the study.

So I'm looking to upgrade my server in the next couple of months, and I have narrowed things down to these choices:

Upgrade my existing VPS with OVH (here in a UK datacentre), which will give me:
4 vcores (2ghz)
24gb ram
100gb SSD

Or for around the same price, a dedicated server from hetzner, based in Helsinki that will give me:
Intel i7 6700 CPU (4 physical cores, 8 logical, 4ghz)
64gb ram
2 x 512gb SSD (raid-1)

Obviously I'm massively tempted by that 2nd offer. Where the OVH VPS wins though is in latency. A ping to my current website has a latency of 12ms. A ping to the Helsinki data-centre takes 41ms.

My question is.... is this enough to worry about?

#vps #latency
#vps #latency Server Admin

No, in the end, the more you add services on your server, the more the latency difference will become irrelevant because your server load will be come the performance limiting factor.

That's the answer I wanted to hear :)

40ms is still very low. I'm in south-central British Columbia and the servers I operate are in Toronto and California. Toronto is ~60ms from here and latency for managing the server is non-noticeable.


Climbing up Crowden Clough on a very bleak and misty day. Crowden Clough is one of the more adventurous ways to reach the plateau of Kinder Scout in the Dark Peak
#outdoors #hiking #countryside #landscape #mist #climbing #darkpeak #peakdistrict #hillwalking #kinderscout

This looks great! Just what I need. #selfhosted

Looks interesting indeed. Thanks for sharing!

I'm considering moving my stuff from OVH over to Hetzner. I'm just wondering if anyone has any first-hand experience of their service or support? Their dedicated servers seem to be a very good price... only slightly more than the OVH VPS package I was considering upgrading to

#vps #hetzner #dedicatedserver

Thought that would be an easy job upgrading from PHP 7.2-fpm to 7.3. After the upgrade, only 1 of my 3 websites would load. Problem solved (eventually!) by removing 7.2. There was some kind of conflict going on between Redis and the two versions of PHP
Server Admin


Looks like a great place to stick an amateur radio Ariel but I would not fancy doing it.

was a lot easier than it looks. I was up it in no time

A great in-depth advanced installation guide for Nextcloud 15. There are some bits in here that may be useful even if you've already installed it

Ubuntu and Nginx:

Ubuntu and Apache2:

Debian and Nginx:

#nextcloud #ubuntu
#ubuntu Linux Nextcloud Server Admin
This entry was edited (2 months ago)

My Little Corner Of the Internet - Progress So Far...

All this on my 2 core 12gb ram VPS with 50gb SSD - although I may upgrade that to 100gb at some point.

Bye Bye #Gmail... I have my own mail server, using K-9 Mail as a client on my phone, and the Nextcloud IMAP app on the web.

I used to host my outdoors blog on shared hosting. Considering it's now on a not too expensive #VPS with various other apps, it's still much faster than it ever was on shared hosting - largely thanks to the Varnish caching system I installed.

File Storage
Bye Bye Google Drive. #Nextcloud is a much sleeker system and I'm rather loving it. I may not get as much storage sp... show more
This entry was edited (2 months ago)

Cool. Is that only available if you host your own site? I don't host yet.

yes, it's self-hosted only so far as I know. It was the best solution I could find to replace flickr.

Sounds good. Thanks for helping me avoid more confusing by trying to install it.

Since the last git pull on the Friendica rc a couple of days ago, the CPU usage of MariaDB seems to have rocketed and I'm regularly getting high load warnings. It should be said that I hadn't done a pull for a few weeks before that. Whatever it's doing, I thought it might have settled down by now.... are there any checks I can make or actions to take? @Friendica Support #friendica #mariadb
#friendica #mariadb @Friendica Support Friendica Linux MySQL Server Admin

hoergen doesn't like this.

OK, I've made tmp writable, done another git pull, and done the dbstructure update. I've still had those 2 errors appear in the log after doing this though.

Yeah, i am not the only one with this problems ;-). I also get this message since a couple of weeks.
PHP Fatal error:  Allowed memory size of 188743680 bytes exhausted (tried to allocate 48238592 bytes)
 in /src/Util/JsonLD.php on line 115

(the line number changed two days ago from line 109 to line 115)

I set the memory_limit to 350M

Look at this issue:

so its unknown what impact it's having. Maybe I'll try matching the time with the friendica log. Very concerned about the increase in load though at the moment... it used to be happily very low, sitting around 1... but at the moment it's frequently jumping up past 10 and giving me warnings. It seems to be Mariadb that's doing it. Cpu usage is regularly between 20 and 40%