Reputation: 878
Issue with www-data and group read for site folder
I'm locking down some permissions, and now nginx has trouble seeing my site
Background:
- I deploy & run CLI using the mysite user.
- I want both mysite and www-data to have access to the site's folder mysite and www-data users
- both belong to the www-data groups:
root@dev:~# groups mysite
mysite : mysite www-data
root@dev:~#
root@dev:~# groups www-data
www-data : www-data
The folder (has group permissions)
drwxrwx--- 3 mysite www-data 4096 Jun 26 14:12 sites/
www-data trying to get to it:
root@dev:~# sudo -u www-data stat /home/mysite/sites/
stat: cannot stat ‘/home/mysite/sites/’: Permission denied
www-data can see the parent folders fine:
root@dev:~# sudo -u www-data stat /home/
File: ‘/home/’
Size: 4096 Blocks: 8 IO Block: 4096 directory
Device: fd01h/64769d Inode: 1179649 Links: 3
Access: (0755/drwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2016-10-19 10:59:05.845267219 -0400
Modify: 2016-06-26 14:12:24.890310000 -0400
Change: 2016-06-26 14:12:24.890310000 -0400
Birth: -
root@dev:~# sudo -u www-data stat /home/mysite/
File: ‘/home/mysite/’
Size: 4096 Blocks: 8 IO Block: 4096 directory
Device: fd01h/64769d Inode: 1180062 Links: 10
Access: (0770/drwxrwx---) Uid: ( 1000/ mysite) Gid: ( 1000/ mysite)
Access: 2016-10-19 10:59:10.081267219 -0400
Modify: 2016-10-19 10:35:01.221267219 -0400
Change: 2016-10-19 10:35:01.221267219 -0400
Birth: -
I've also checked to see if SELinux was messing with it
root@dev:~# setenforce 0
setenforce: SELinux is disabled
I've also tried:
chown www-data:www-data /home/mysite/sites/
Update 10/19/2016: Setting the acl on the folder that 'sites' belongs to got this working the way I have it setup:
setfacl --modify=g:www-data:x /home/mysite
Upvotes: 3
Views: 3237
Answers (2)
Reputation: 36
Any web server requires executable permissions (but not read) to all parent directories that contain the site. Setting an ACL on the home directory like that works.
You also could have changed the group of /home/mysite to www-data and locked down permissions of that directory to 710.
Another solution would have been to move the sites directory someplace less restricted than a home directory, like /var/www, but keep the existing locked down permissions on the sites directory.
I likely would have gone with your solution, or moving the site to /var/www
Upvotes: 2
Reputation: 878
Setting the acl on the folder that 'sites' belongs to got this working the way I have it setup:
setfacl --modify=g:www-data:x /home/mysite
Upvotes: 1
Related Questions
- www-data user added to group not able to write/delete in folder with group permissions
- WordPress nginx can't create Directories - Permissions correct
- What are the correct permissions for my site that is now served by NginX?
- Nginx set new files www-data as owner instead of my user
- Nginx: 403 Error on Server Block
- Why doesn't chown -R root:www-data work on my Wordpress installation?
- User in www-data group can't view directory
- How to configure server on nginx, php-fpm to set file permissions correctly
- Permission denied with nginx and php
- 'www-data' insufficient rights issue