Discover Centmin Mod today
Register Now

Sysadmin Confused about file permissions - what are you all actually doing?

Discussion in 'System Administration' started by deltahf, Jan 3, 2022.

Tags:
  1. deltahf

    deltahf Premium Member Premium Member

    530
    231
    43
    Jun 8, 2014
    Ratings:
    +425
    Local Time:
    8:34 AM
    File permissions have always been a blind spot for me. I still have old (likely bad) habits when setting up new servers that have probably caused me a lot of headaches over the years.


    I create users on my system for each website on my server, for example "site1" and "site2". Then I keep all of the files for those sites in /home/siteX/. The folders and all the files within them are owned by those respective users, and if something needs to be written to by nginx, I'd just change the permissions to 777. This isn't working too well for me anymore, as I want to use one-click updates in XenForo and WordPress now, and I suspect it's causing some problems with new WordPress plugins I'm using as well.

    I know the general advice is to have all of the files of the website owned directly by nginx:nginx. However, to be frank, that advice has always puzzled me.

    How are you all actually maintaining the files on your site with nginx:nginx permissions?

    Sure, if you're performing one-click upgrades that's ideal, but what about the rest of the time? If you need to perform a quick edit to a config file, say wp-config.php, how do you actually do it? Are you actually logging into your server as the nginx user? Are you logging in as root? Are you chown-ing the file multiple times as needed to make your edits? Am I just wasting my time having multiple system users per site?

    Also, I maintain my WordPress' custom theme folder and several custom plugins as git repos, and I push those changes via my site's SSH user. What happens if I try to push changes to that repo and all those files are owned by nginx? Would it even allow me to overwrite the files? Will they be owned by that user now, or by nginx?

    From the way I see it, there are two mutually exclusive ways to go about this: you can have a server that has files which are easier to maintain directly with specific users, or you can give everything to nginx and enjoy automated things, but jump through a lot of hoops when you actually need to work with the files.

    How do you guys deal with this problem? As you can see, I'm deeply confused about best practices here.
     
  2. eva2000

    eva2000 Administrator Staff Member

    48,826
    11,168
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,396
    Local Time:
    10:34 PM
    Nginx 1.21.x
    MariaDB 10.x
    I generally just follow steps outlined in official Centmin Mod Getting Started Guide step 2. For web app managed or created files in Wordpress and Xenforo, I just let php-fpm owned by nginx user/group do it's work. For manually edited files I just usually log in and edit as root using in SSH.

    My SecureCRT SSH client also has built in SFTP support via command line so I can quickly upload/download files if needed or launch SecureFX FTP app. SecureCRT with Command Manager also makes life easier https://community.centminmod.com/th...client-apps-do-you-use.390/page-10#post-90843 :)

    Straight from Getting Started Guide step 2 linked above
     
  3. deltahf

    deltahf Premium Member Premium Member

    530
    231
    43
    Jun 8, 2014
    Ratings:
    +425
    Local Time:
    8:34 AM
    OK, thanks for the info. I guess I need to read Centminmod 101 again. :ROFLMAO:

    Any advice on what to do with git, though? Once file ownership is changed to nginx, pushing to repos with my site's SSH user obviously no longer works, and if I push as root user, the uploaded files are owned by root:root again, so I'm back to square one. Do I have to chown every single time I push changes?

    I have tried researching this but nothing seems to answer the question. Git is so widely used; I don't understand how this is not a big issue for everyone?
     
  4. eva2000

    eva2000 Administrator Staff Member

    48,826
    11,168
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,396
    Local Time:
    10:34 PM
    Nginx 1.21.x
    MariaDB 10.x
    That's what I do for centminmod.com part of the site - all Nginx vhost configs and site files are Git backed to allow a cluster of VPS servers to load balance centminmod.com and be able to spin up any VPS server and run a setup script which git pulls all the files and sets up all the file permissions via chown/chmod :)

    The other way you can do it which would take up some more disk space is to use Linux bind mount for your files as a different user/group https://unix.stackexchange.com/questions/198590/what-is-a-bind-mount (under Linux bind mount heading and not the same as bindfs also mentioned there). Linux bind mounts depend on Linux Kernel support so you'd only want to do this on KVM VPS or dedicated servers where you have full control.
    But you'd be on your own for support in Centmin Mod for such setups and would need to know what you're doing :)

    It's the basis of one of the ways I've tested chroot/jailed site Nginx users for Centmin Mod - demo at https://community.centminmod.com/th...-sftp-ssh-user-nginx-vhost-menu.8/#post-33453. So that your web root files exist both at
    /home/nginx/domains/domain.com/public location as nginx user/group and also at
    /home/george/domain.com/public as user/group george simultaneously.
    Code (Text):
    ls -lah /home/george/domain.com/public/
    total 68K
    drwxr-s---+ 3 george george 4.0K Jul 12 06:11 .
    drwxr-s---+ 6 george george   56 Jul 12 05:07 ..
    -rw-r--r--  1 george george 1.6K Jul 12 05:07 403.html
    -rw-r--r--  1 george george 1.6K Jul 12 05:07 404.html
    -rw-r--r--  1 george george 2.1K Jul 12 05:07 500.html
    -rw-r--r--  1 george george 2.1K Jul 12 05:07 502.html
    -rw-r--r--  1 george george 2.2K Jul 12 05:07 503.html
    -rw-r--r--  1 george george 7.6K Jul 12 05:07 503.jpg
    -rw-r--r--  1 george george 2.1K Jul 12 05:07 504.html
    -rw-r--r--  1 george george 2.2K Jul 12 05:07 50x.html
    -rw-r--r--  1 george george 1.4K Jul 12 05:07 index.html
    -rw-r--r--  1 george george 1.7K Jul 12 05:07 maintenance.html
    -rw-r-----+ 1 george george   17 Jul 12 05:43 phpinfo.php
    drwxr-s---+ 2 george george    6 Jul 12 06:10 testdir1
    -rw-r-----+ 1 george george    0 Jul 12 06:11 testfile1.txt
    -rw-r-----+ 1 george george  143 Jul 12 06:24 test.php
    -rw-r--r--+ 1 george george    0 Jul 12 05:14 test.txt
    
     
  5. deltahf

    deltahf Premium Member Premium Member

    530
    231
    43
    Jun 8, 2014
    Ratings:
    +425
    Local Time:
    8:34 AM
    OK! That surprises me — it feels like there should be a better way — but file permissions are just such a pain.

    Bind mounts look too complex for my situation. I have figured out how to use git hooks for each of my repos to just update file ownership each time I push to the server via the myrepo.git/hooks/post-receive file:

    Code (Text):
    #! /bin/sh
    GIT_WORK_TREE=/path/to/my/code git checkout -f
    echo "Updating file ownership..."
    chown -R nginx:nginx /path/to/my/code
    echo "Restarting php-fpm..."
    service php-fpm restart
    


    This seems to do the trick. As you can see, I also added a command to restart PHP-FPM automatically.

    I guess this works because I'm pushing to the git repo via ssh as the root user, so the script is executed with root permissions.
     
  6. eva2000

    eva2000 Administrator Staff Member

    48,826
    11,168
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,396
    Local Time:
    10:34 PM
    Nginx 1.21.x
    MariaDB 10.x
    Yeah git hooks works for this too :)