When developing an internet site, what approvals and also directory framework?

I'm posturing this inquiry due to the fact that I still have not located an attire method that I'm specifically keen on. Preferably, this mix of directory framework and also approvals need to match any kind of internet server (do not think Apache). I need to additionally state that I'm worried just with *nix web servers.

I'm key seeking :

  • Best mix of uid/gid/other (names and also octets)
  • Relatively safe and secure (does not need to be uber paranoid)
  • Easy to make use of/ keep (CMS is have the ability to self - upgrade, no approval concerns)

Just for reference, the existing pile I'm working with is Ubuntu 11.04+Nginx+php - fpm+Wordpress, although the excellent remedy should benefit any kind of internet site

2019-12-02 02:49:40
Source Share
Answers: 1

Permissions can be provided on proprietor, team and also others.

First, determine what approvals are essential and also which customers are entailed :

  • Nginx running as www-data (team www-data) : read - just
  • php - fpm running as www-data (team www-data) : read and also write
    (if you would certainly such as to permit procedures like chmod, you need to run php-fpm as the SFTP customer. Be cautious : if a person can execute command on your web server from PHP, he/she will certainly have the ability to change your documents also, like .bashrc!)
  • sftp/ SSH : complete approvals
  • Other customers : no read and also write approvals

Only the proprietor of a documents/ directory can transform approvals and also it is favored to offer the SSH customer this possession. Why? Due to the fact that it is bonehead that you can not change your very own documents in the webroot and also doing every little thing as origin is a negative suggestion.

Normal customers can refrain transform the team of a documents/ directory, just origin can do that. An unique SETGID little bit makes every documents and also directory in a directory acquire the team. With the appropriate approvals set, both php - fpm and also the SSH customer can change documents.

  • Proprietor : your SSH customer
  • Group : www-data
  • Permissions for documents : rw - rw - - - - (0660)
  • Permissions for directory sites : rwxrwx - - - (2770) The execute little bit (2) is required to come down right into a directory. Execute info coreutils 'file permissions' to get even more details concerning this little bit
  • umask 007 to make sure that the proprietor and also team can contact documents/ directory sites and also various other customers do not get approvals.

Thinking that your webroot lies at /var/www/website1, transform the owner/group and also approvals by running :

sudo chown -R your_ssh_user_here:www-data /var/www/website1
sudo find /var/www/website1 -type f -exec chmod 660 {} \;
sudo find /var/www/website1 -type d -exec chmod 2770 {} \;

Add on your own to the www-data team :

sudo usermod -a -G www-data your_ssh_user_here

You require to re - login to come to be a participant of the team.

Added arrangement is required to make certain that internet sites can not access various other documents if php-fpm is running as the very same customer.

2019-12-03 04:09:47