nginx php-fpm file and minimum folder permissions for maximum security multi user/app -


i have set nginx server nginx/1.10.2 on centos 7. have configured nginx use php-fpm php 5.4.16 (fpm-fcgi) (built: nov 6 2016 00:30:57).

i use new pool configured @ /etc/php-fpm.d/piwik.conf:

[piwik] user = piwik group = piwik listen = /var/run/php5-fpm-piwik.sock listen.owner = nginx listen.group = nginx ;listen.mode = 0660 ;php_admin_value[disable_functions] = exec,passthru,shell_exec,system php_admin_flag[allow_url_fopen] = off pm = dynamic pm.max_children = 5 pm.start_servers = 2 pm.min_spare_servers = 1 pm.max_spare_servers = 3 chdir = /

the important part of nginx.conf:

location ~ ^/piwik/(.*)$ {     root /usr/share/nginx/html;     try_files $uri =404;     #fastcgi_pass 127.0.0.1:9000;     fastcgi_pass unix:/var/run/php5-fpm-piwik.sock;     # fastcgi_param script_filename $document_root$fastcgi_script_name;     # fastcgi_param path_info $fastcgi_script_name;     # include fastcgi_params;     include fastcgi.conf;     # fastcgi_param request_method $request_method;     fastcgi_index info1.php; }

when request http://localhost/piwik/info1.php showns me _server["user"] piwik

so have problem setting right permissions folder /usr/share/nginx/html/piwik.

as have read user needs x permission on whole path traverse correct folder. folder , files must readable , piwik folders must writeable. because centos 7 enables selinux default had following commands write access: chcon -r -t httpd_sys_content_rw_t /usr/share/nginx/html/piwik/tmp/ systemctl restart php-fpm

i have changed user , group piwik. when set following rights chmod 700 -r /usr/share/nginx/html/piwik/ cannot access files. permission denied error. figured out need rights 701:

drwx-----x. 13 piwik piwik     4096 18. aug 09:49 . drwxr-xr-x.  5 root  root      4096 16. aug 04:27 .. -rwx-----x.  1 piwik piwik      932  8. jun 2015  bower.json -rwx-----x.  1 piwik piwik    38272 11. apr 2016  changelog.md ... ...

please me understand why have enable executable bit other users.

ok, serving static files 775 must set?!

thank you.

best regards

edit:

the problem not serving of dynamic php files. serving of static files because nginx runs under 1 specific user.

i have found link: https://serverfault.com/questions/370820/user-per-virtual-host-in-nginx

an useful comment was: give document root group of www-data , perms 0710 when setup vhost (since needs root configure nginx, it's not problem have automation set necessary permissions). contents of docroot need o+x directories , o+r files.

so think setup: nginx runs user nginx separate different users (apps) set following permissions (run root):

ls -la /usr/share/nginx/ drwx--x--x.  6 nginx nginx 4096 18. aug 19:18 html  groupadd pydio useradd -g pydio pydio  mkdir /usr/share/nginx/html/pydio/ chown pydio:pydio -r /usr/share/nginx/html/pydio/                        find /usr/share/nginx/html/pydio/ -type d -exec chmod 701 {} \; find /usr/share/nginx/html/pydio/ -type f -exec chmod 704 {} \;  chmod 710 /usr/share/nginx/html/pydio/

please can check?


Comments

Post a Comment

Popular posts from this blog

Is there a better way to structure post methods in Class Based Views -

i'm using class based views in django , never specify url in ajax calls , omit action parameter in form because know these requests go through post method of class based view. notice view - profile page make many requests depending on user updating on page - post method become convoluted , if/else mess example: def post(self, request, *args, **kwargs): # handle user changing available date if request.post.get('availabledate') != none: self.updateavailabledate(request) return jsonresponse({'result':'success'}) if request.post.get('newprojectname') != none: creative_user = creativeuserprofile.objects.get(id = request.user.id) project = project.create_project(creative_user, request.post['newprojectname']) project.save() return jsonresponse({'projectid': project.id }) if request.post.get('projectimage') != none , request.files['file']: proj
Read more

performance - Why is XCHG reg, reg a 3 micro-op instruction on modern Intel architectures? -

i'm doing micro-optimization on performance critical part of code , came across sequence of instructions (in at&t syntax): add %rax, %rbx mov %rdx, %rax mov %rbx, %rdx i thought had use case xchg allow me shave instruction , write: add %rbx, %rax xchg %rax, %rdx however, dimay found agner fog's instruction tables , xchg 3 micro-op instruction 2 cycle latency on sandy bridge, ivy bridge, broadwell, haswell , skylake. 3 whole micro-ops , 2 cycles of latency! 3 micro-ops throws off 4-1-1-1 cadence , 2 cycle latency makes worse original in best case since last 2 instructions in original might execute in parallel. now... cpu might breaking instruction micro-ops equivalent to: mov %rax, %tmp mov %rdx, %rax mov %tmp, %rdx where tmp anonymous internal register , suppose last 2 micro-ops run in parallel latency 2 cycles. given register renaming occurs on these micro-architectures, though, doesn't make sense me done way. why wouldn't register renamer
Read more

jquery - Responsive Navbar with Sub Navbar -

good day, forgive me nav vocabulary not best. if question confusing apologize. i'm working on navigation bar needs centered on page @ 768px , above. items in nav open (or perhaps toggle) subnav lives directly below. these nav should appear centered on page. i have been able work through responsive portion of nav bar, having main items align vertically , sub nav menu of each item roll out below, , gave them indent separation. working well. however, issue not responsive side, behavior @ width greater 768px. happens toggling menu's sub navigation pushes other main items down page below sub nav. here's code: $(document).ready(function () { //stick in fixed 100% height behind navbar don't wrap $('#slide-nav.navbar-inverse').after($('<div class="inverse" id="navbar-height-col"></div>')); $('#slide-nav.navbar-default').after($('<div id="navbar-height-col"></d
Read more