Best way to set up permissions with nginx + php-fpm on shared hosting?

dBi asked:

I’m running a shared hosting server with nginx and php-fpm on Debian.

Everything works fine, php-fpm has separate pools for each users running as separate users and they each have their own socks.

Nginx is however running as www-data because I don’t want to have separate nginx processes for each user.

This means that in order for nginx to have access to the users data, the permissions of /home have to be drwxr-x–x. The problem is, all users have access to other users files.

What would be the best way to give nginx access to the users files without giving other users access. Running nginx as root is not an option. But would AppArmor help?

My answer:


I prefer to use ACLs for this. For instance:

setfacl -R -m user:www-data:rx,d:user:www-data:rx /home

Gives the www-data user access to read files and traverse directories under /home, and applies the same ACL to any new files or directories created later.

Once applied, user home directories no longer have to be world-executable, (e.g. chmod o= /home/$USER) thus users can no longer read each other’s files, but nginx can.

Note that if some directories need to be writable by the web server, you can set those up on a case by case basis by changing both instances of the permissions rx to rwx. For example:

setfacl -R -m user:www-data:rwx,d:user:www-data:rwx /home/user/public_html/wp-content/{cache,uploads}

View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.