I am using the following setup on my LEMP (Nginx + PHP-FPM). For Apache, this should also be applicable.
PHP-FPM runs several pools: nobody:user1 , nobody:user2 ...
Nginx works like nginx:nginx
User nginx is a member of each group user1 , user2 ..:
File Permissions:
root:root drwx--x--x /home user1:user1 drwx--x--- /home/user1 (1) user1:user1 rwxr-x--- /home/user1/site.com/config.php (2) user1:user1 drwxrwx--- /home/user1/site.com/uploads (3) nobody:user1 rw-rw---- /home/user1/site.com/uploads/avatar.gif (4)
(1) The user home dir does not have x permission for other , so the php-fpm pool running as nobody:user2 will not have access to /home/user1 and vice versa.
(2) php script does not have w for group , so it cannot create files in htdocs.
(3) In uploads dir, we must manually enable write access for user1 group in order to enable the PHP script to place files there. Do not forget to disable the php handler for uploads , in nginx this is done with
server { .... location ^~ /uploads/ { }
but for Apache you have to check.
(4) the uploaded files must also have w for group if we want user1 to user1 able to edit these files later via ftp or ssh (login as user1:user1 ). Php code can also be edited via ftp, since user1 is its owner .
Nginx will have read access to all users and write access to all user downloads, as the nginx user is a member of each group user1 , user2 , .... You should not forget to add it to all later groups. You can also modify useradd script to do this automatically.