I tried to search about this question before, but there seems to be nowhere where it is explained thoroughly, mostly only pieces of problem such as app/storage
permission has not been set so webserver can write file, but my problem seems bigger and more fundamental, I hope someone can explain thoroughly how this should be setup, preferably without needing to set permission to 777
.
So my stack is Ubuntu 14.04, PHP 5.6 with PHP-FPM because I use nginx 1.4.6 and I use Laravel 4.2 as framework, ow and one more I use Git as my versioning tool. So what is the necessary step-by-step to allow the following:
Setting the initial project, Git and Nginx:
So as far as I know, Nginx is set up to use username www-data
as default right? Does it means that I have to assign my user e.g. kevin
to the group www-data
? When I am initialize git, create the project using composer, set up SSH public/private key, do I need to belong to the group www-data
or I have to be sudo
or what? In my production server, I tried using sudo
for setting up everything somehow it makes it easier to do all the thing above, but is it the best practice?
Making app/storage
writable for webserver:
I think this is the second and most vital for Laravel, because unless this works Laravel won't be running, my knowledge is that this folder has to be writable by the webserver (nginx), so I need to set this to sudo chown -R www-data:www-data app/storage
and sudo chmod -R 664 app/storage
right? But somehow this doesn't seem to work all the time because during my development sometimes it will tell that a cache of a view cannot be written into the app/storage
folder, so in the end I has to set it to 777
or 775
if I'm lucky.
Public folder, or place of my assets
Here I have some inconsistency too, I have set it up at the end to 777
to ensure that all my files can be accessed by nginx. Sometimes nginx will tell me that some image in my asset folder seems to be forbidden and it will only return HTTP 200 if I either set to 777
or change the group to www-data:www-data
, do I have to change the permission or group for every image that I created from Gimp, Photoshop, or when I downloaded from Dropbox or from my email when my graphic designer design new icons?
File Upload
So somewhere around the time, people will be able to upload for example their profile picture, or when I post a blog I can upload a picture, it means that at some point the file upload script will move the file from the /tmp
folder to my public
folder, it may need to only write into a subdirectory in public
or maybe sometimes it needs to create a folder based on a certain id
and move the file into the directory, most of time I will get an error that the directory seems not to be writable or some permission error as such during of the execution of the script. Does this mean that the PHP process has to be run with certain permission too? Or does it mean that the directory has to have a certain permission? Does this problem relate to the Nginx service or does it relate to the PHP process?
I have the experience to use packages such as roumen/sitemap
or jlapp/swaggervel
, they seems to use the same Facade File
, but somehow they don't have any problem with permission, I try to replicate their code behaviour but I hit the problem above.
Queue, Artisan, other Command-Line based executed script
Last, are Command-Line based executed script, does this behave the same as script that executed from interaction with webserver, such as the file upload above, or do I need to prepare for other inconsistencies?
Thank you, if someone can explain this to me. I think if I figure it out, I will create a blog post or something, appreciate it guys! :D
What I typically do, is changing all files/folders group to www-data with sudo chgrp -R www-data laravel-folder
. This way I am still an owner and webserver has group permissions.
When www-data has group ownership, sudo chmod -R g+w app/storage
allows webserver to write to a storage subfolder. Or alternatively you can do sudo chmod -R 775 app/storage
. Don't use 777, there is no need to allow everyone to write to your folders.
For all new assets I always collectively change group ownership. Or, if there are new files in many places, just again do sudo chgrp -R www-data laravel-folder
. One command and everything has proper group ownership.
There is no need to change default permissions of public
folder (755). Nginx will not save files there.
All files sent by users should be located in storage
. You can make a subfolder for avatars, another one for other user files. This is why this folder is called storage
(self-explanatory). It is writeable by webserver so nginx can create files/folders there.
When you adjust permissions / group ownership like I described above, there should be no problem with artisan or CLI commands.
I suggest you read this How to Install Laravel with an Nginx Web Server on Ubuntu 14.04 article.