PHP-FPM + Laravel + Nginx + Ubuntu permission

Kevin Tanjung picture Kevin Tanjung · Feb 8, 2015 · Viewed 9.4k times · Source

I tried to search about this question before, but there seems to be nowhere where it is explained thoroughly, mostly only pieces of problem such as app/storage permission has not been set so webserver can write file, but my problem seems bigger and more fundamental, I hope someone can explain thoroughly how this should be setup, preferably without needing to set permission to 777.

So my stack is Ubuntu 14.04, PHP 5.6 with PHP-FPM because I use nginx 1.4.6 and I use Laravel 4.2 as framework, ow and one more I use Git as my versioning tool. So what is the necessary step-by-step to allow the following:

  1. Setting the initial project, Git and Nginx:

    So as far as I know, Nginx is set up to use username www-data as default right? Does it means that I have to assign my user e.g. kevin to the group www-data? When I am initialize git, create the project using composer, set up SSH public/private key, do I need to belong to the group www-data or I have to be sudo or what? In my production server, I tried using sudo for setting up everything somehow it makes it easier to do all the thing above, but is it the best practice?

  2. Making app/storage writable for webserver:

    I think this is the second and most vital for Laravel, because unless this works Laravel won't be running, my knowledge is that this folder has to be writable by the webserver (nginx), so I need to set this to sudo chown -R www-data:www-data app/storage and sudo chmod -R 664 app/storage right? But somehow this doesn't seem to work all the time because during my development sometimes it will tell that a cache of a view cannot be written into the app/storage folder, so in the end I has to set it to 777 or 775 if I'm lucky.

  3. Public folder, or place of my assets

    Here I have some inconsistency too, I have set it up at the end to 777 to ensure that all my files can be accessed by nginx. Sometimes nginx will tell me that some image in my asset folder seems to be forbidden and it will only return HTTP 200 if I either set to 777 or change the group to www-data:www-data, do I have to change the permission or group for every image that I created from Gimp, Photoshop, or when I downloaded from Dropbox or from my email when my graphic designer design new icons?

  4. File Upload

    So somewhere around the time, people will be able to upload for example their profile picture, or when I post a blog I can upload a picture, it means that at some point the file upload script will move the file from the /tmp folder to my public folder, it may need to only write into a subdirectory in public or maybe sometimes it needs to create a folder based on a certain id and move the file into the directory, most of time I will get an error that the directory seems not to be writable or some permission error as such during of the execution of the script. Does this mean that the PHP process has to be run with certain permission too? Or does it mean that the directory has to have a certain permission? Does this problem relate to the Nginx service or does it relate to the PHP process?

    I have the experience to use packages such as roumen/sitemap or jlapp/swaggervel, they seems to use the same Facade File, but somehow they don't have any problem with permission, I try to replicate their code behaviour but I hit the problem above.

  5. Queue, Artisan, other Command-Line based executed script

    Last, are Command-Line based executed script, does this behave the same as script that executed from interaction with webserver, such as the file upload above, or do I need to prepare for other inconsistencies?

Thank you, if someone can explain this to me. I think if I figure it out, I will create a blog post or something, appreciate it guys! :D

Answer

KazikM picture KazikM · Feb 9, 2015
  1. What I typically do, is changing all files/folders group to www-data with sudo chgrp -R www-data laravel-folder. This way I am still an owner and webserver has group permissions.

  2. When www-data has group ownership, sudo chmod -R g+w app/storage allows webserver to write to a storage subfolder. Or alternatively you can do sudo chmod -R 775 app/storage. Don't use 777, there is no need to allow everyone to write to your folders.

  3. For all new assets I always collectively change group ownership. Or, if there are new files in many places, just again do sudo chgrp -R www-data laravel-folder. One command and everything has proper group ownership. There is no need to change default permissions of public folder (755). Nginx will not save files there.

  4. All files sent by users should be located in storage. You can make a subfolder for avatars, another one for other user files. This is why this folder is called storage (self-explanatory). It is writeable by webserver so nginx can create files/folders there.

  5. When you adjust permissions / group ownership like I described above, there should be no problem with artisan or CLI commands.

I suggest you read this How to Install Laravel with an Nginx Web Server on Ubuntu 14.04 article.