The following permissions/ownership model applies to all NGINX/PHP-FPM websites and allows you to host websites without any problems, in a secure way.
Create user folders for sites site1 and site2:
mkdir /var/www
mkdir /var/www/site1
mkdir /var/www/site2
NOTE! Create a separate user for each website!
Do not reuse any sudo capable users. If your website user is ubuntu or centos, or, root – you’re asking for much trouble.
Do not use www-data or nginx as website user. This is wrong and will lead to more trouble!
The username should reflect either the domain name of the website that it “runs”, or the type of corresponding CMS, e.g. magento for a Magento website; or example for example.com website.
Create a site1 user and group for the site1 site, without creating a home directory:
adduser --group --no-create-home site1
Create a site2 user and group for the site2 site, without creating a home directory:
adduser --group --no-create-home site2
Prohibit the use of the console by the user site1:
usermod -s /bin/false site1
Prohibit the use of the console by the user site2:
usermod -s /bin/false site2
Adding a user of site1 to the site1 group:
usermod -a -G site1 site1
Add the www-data web server user to the site1 site group:
usermod -a -G site1 www-data
Adding a user of site2 to the site2 group:
usermod -a -G site2 site2
Add the www-data web server user to the site2 site group:
usermod -a -G site2 www-data
View groups, users, and current group membership:
id site1
groups
groups site1
grep ^www-data /etc/group
cat /etc/group
Remove user password (make it blank). This is a quick way to lock the password of an account. This makes the specified account passwordless.
passwd -d site1
passwd -d site2
Set permissions for all files and folders for each user, for each site:
chown site1:site1 /var/www/site1
chown site2:site2 /var/www/site2
Set permissions so that users of the group (and this is the web server) can read the site files (but they don’t need to execute or write them):
chmod -R 0750 /var/www
chmod -R 0750 /var/www/site1
chmod -R 0750 /var/www/site2
NOTE! Create a separate user for each website!
Do not reuse any sudo capable users. If your website user is ubuntu or centos, or, root – you’re asking for much trouble.
Do not use www-data or nginx as website user. This is wrong and will lead to more trouble!
The username should reflect either the domain name of the website that it “runs”, or the type of corresponding CMS, e.g. magento for a Magento website; or example for example.com website.
Create site1 user for site1, home directory is created automatically:
adduser site1
Create site1 user for site2, home directory is created automatically:
adduser site2
Prohibit the use of the console by the user site1:
usermod -s /bin/false site1
Prohibit the use of the console by the user site2:
usermod -s /bin/false site2
Adding a user of site1 to the site1 group:
usermod -a -G site1 site1
Add the www-data web server user to the site1 site group:
usermod -a -G site1 www-data
Adding a user of site2 to the site2 group:
usermod -a -G site2 site2
Add the www-data web server user to the site2 site group:
usermod -a -G site2 www-data
View groups, users, and current group membership:
id site1
groups
groups site1
grep ^www-data /etc/group
cat /etc/group
Remove user password (make it blank). This is a quick way to lock the password of an account. This makes the specified account passwordless.
passwd -d site1
passwd -d site2
Create public_html and www folders in the home directories of users site1:
mkdir /home/site1/public_html
mkdir /home/site1/public_html/www
Create public_html and www folders in the home directories of users site2:
mkdir /home/site2/public_html
mkdir /home/site2/public_html/www
Set permissions for all files and folders for each user, for each site:
chown site1:site1 /home/site1
chown site2:site2 /home/site2
Set permissions so that users of the group (and this is the web server) can read the site files (but they don’t need to execute or write them):
chmod -R 0750 /home/site1
chmod -R 0750 /home/site2
Official documentation PHP-FPM
Move the default PHP-FPM pool configuration /etc/php/8.3/fpm/pool.d/www.conf in /etc/php/8.3/fpm/pool.d/www.conf.bak:
mv /etc/php/8.3/fpm/pool.d/www.conf /etc/php/8.3/fpm/pool.d/www.conf.bak
Each website in PHP-FPM should be run under a separate pool. In the pool settings file, e.g. /etc/php-fpm.d/example.com.conf, you must set things to match with the created username.
Create a PHP-FPM pool configuration for site1
vi /etc/php/8.3/fpm/pool.d/site1.conf
Create a PHP-FPM pool name.
[site1]
Unix user of FPM processes. This option is mandatory.
user = site1
Unix group of FPM processes. If not set, the default user's group is used.
group = site1
Add the listen directive and verify the socket path to access the PHP-FPM service on your server.
listen = /run/php/php8.3-fpm.sock
Default values: user and group are set as the running user, mode is set to 0660.
listen.owner = site1
listen.group = site1
listen.mode = 0660
Modify the following configuration to match your PHP-FPM processing needs on your server.
pm = dynamic
pm.max_children = 5
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 3
*Description of the settings is located at the bottom of the page.
Save and close:
:wq
Restart PHP-FPM to apply your configuration changes.
systemctl reload php8.3-fpm
systemctl restart php8.3-fpm
systemctl daemon-reload
Check:
ps -aux | grep nginx
ps -aux | grep php
sockstat -l | grep nginx
sockstat -l | grep php
Create and open a file for site1:
vi /etc/php/8.3/fpm/pool.d/site1.conf
[site1]
user = site1
group = site1
listen = /run/php/php8.3-fpm.sock
listen.owner = site1
listen.group = site1
listen.mode = 0660
pm = dynamic
pm.max_children = 5
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 3
Save and close:
:wq
Create and open a file for site2:
vi /etc/php/8.3/fpm/pool.d/site2.conf
[site2]
user = site2
group = site2
listen = /run/php/php8.3-fpm.sock
listen.owner = site2
listen.group = site2
listen.mode = 0660
pm = dynamic
pm.max_children = 5
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 3
Save and close:
:wq
If the www-data user belongs to another group, you can add him to the group corresponding to the site to provide the web server with access to the directories and files of the site.
For example, to grant access to the home directory of the web user, you need to add the www-data user to the web group using the command:
usermod -a -G web www-data
You can also change the group of all files and directories to www-data and enable setgid using the command:
sudo chmod -R g+s /path/to/www/directory/
After this, all files and directories will be created with the www-data group.
To make sure that all files in the folder and subfolder also have the www-data group, you can run the following commands:
sudo chgrp -R www-data полный_путь_к_папке
sudo chmod -R g+s полный_путь_к_папке
The first command sets the www-data group for all files in the folder and its subfolders, and the second sets the setgid bit for the folder, which allows new files created in that folder and its subfolders to inherit the group set for that folder.
The choice of solution depends on the specific situation and the goals of the setup.
To add a user to a group in Linux, use the usermod command with keys -a и -G
sudo usermod -a -G group user
где:
-a — add user to additional group(s). used only with -G option
-G groups — list of additional groups (if more than one group is specified, the separator is a comma) for more details, see man usermod on your system.
Only root or users with sudo access can add a user to a group
sudo gpasswd -d username group
-d, --delete user Remove the user from the named group.
userdel parameters user
-f, --force - force removal, even if the user is still logged in.
-r, --remove - remove the user's home directory and their files on the system.
-Z - remove all Linux objects for this user.
--system - delete only if it is a system user
--backup - make a backup copy of the user's files
--backup-to - folder for backups
--remove-home - delete the home folder
--remove-all-files - delete all user files in the file system (CAUTION! May overwrite important files)
This will deny the user access to the system and prevent new processes from starting:
passwd --lock your_user
Kill all running processes of the user:
find all processes running on behalf of the user:
ps -f --pid $(pgrep -u your_user)kill all processes running on behalf of the user:
killall -u your_user
Delete user files and home directory:
deluser --remove-home your_user
| Back | Modified , email |