Detailed Nginx, PHP-FPM, and MySQL user rights

Typically, we run Web applications with Linux distributions from CentOS, Ubuntu, Debian, and more. At this time, constitute the service architecture must be nginx, PHP and MySQL, and other applications of the rights control is very important, each service to the code directory of the permissions requirements are different, the lack of certain permissions will cause the service can not read or write errors, reduce the permission requirements and there will be intrusion modification of the hidden danger. Here we summarize the permissions of Nginx, PHP-FPM and MySQL, and so on.

One, Web server Nginx permissions

PHP's operating framework is usually combined with nginx composition LNMP or the combination of Apache composed of lamp architecture, here with Nginx as an example to tell the Nginx service needs to run the permissions.
We know that Nginx itself can not parse PHP syntax, so nginx for static files (such as HTML, etc.) will directly parse the return results, but for PHP files, Nginx will be forwarded to PHP interpreter PHP-FPM for processing, and then return the response to the client browser.

Therefore, our code directory needs to unify Nginx and PHP services required permissions.
① If the root user is unified, then the general visitor account cannot access the application, and Nginx is configured to run as root, there will be a great security risk, once the attack will be the root identity of the system to do everything.
② and if the unified Code directory permissions are set to RWXRWXRWX, there is a hidden danger that users can modify the code directory directly through the browser.

So the best way is to unify the classification into a new user group, by assigning the user group Nginx and PHP to run the necessary permissions to achieve the permissions of the Web application directory management. Often, many teams will name this user group WWW, which is managed by WWW users to manage the code directory permissions uniformly.

We can see the nginx configuration file nginix.conf inside the partition of the running permission is configured to the WWW user, so nginx sub-process is also performed by the WWW user, can be through the PS aux | grep nginx to view:

You can see that Nginx's main process is root and the rest of the processes are users of www.

Configuration of the nginx.conf:

Second, the permissions of PHP configuration

Similarly, the way PHP runs is also run by the main process root, the sub-process pool is configured by the WWW user, specifically configured in the PHP root directory under etc\php-fpm.conf, add two lines:
user = www
Group = www
You can also use PS aux | grep php can view the user identities used by the process:

Third, the rights of the MySQL service configuration

Via PS aux | grep MySQL can see that the MySQL service is running under the MySQL user, the service only needs us in the PHP code to connect MySQL with MySQL username password can not be unified to WWW, because the data layer needs to be separated from the business logic layer, to ensure the security of the underlying data. MySQL's authorization is mainly in the MySQL service to add users and partition permissions, to control PHP different services to the identity of different permissions to connect, to ensure data security.

Iv. Summary

Nginx Configuration:
User www www;

PHP-FPM:
user = www
Group = www

Transferred from: 78615825?locationnum=8&fps=1

Detailed Nginx, PHP-FPM, and MySQL user rights