recommended nginx file and directory permissions/owner

[ppal6426]

In the installation docs it instructs to set permissions to 755 or 777 but I know that is not what the permissions should be for a production environment and I can't seem to find any other mention of it in the install docs or this forum. What should the owner and permissions for directory and files be set to? I'm on Ubuntu 16.04 w/nginx and php 7. Also the directory "files" is where the local files store is so is the following nginx directive enough to protect that directory?

location /files/ {
internal;
}

Thank you in advance.

 

[enricodias4654]

chmod 777 is needed to let the php script write and delete files in the folder when the php executes with a different user, usually nobody.

If your scripts execute with the same user that owns the files and folders, you don`t need to use chmod 777. I recommend using mod_ruid2 with apache.

 

[ppal6426]

I'm using Nginx so I don't see mod_ruid2 working for me unless there is some alternative. I'm not satisfied that all the directories and files need 777. Mfscripts says the product is secure but the fact that permissions are not more adequately addressed in the install doc puzzles me (sorry if I've missed it somewhere). I'm not an expert but only files being changed on the fly should need write access. So for the user facing pages I would think this would only be the upload directory. For admin pages I'm not sure but I would even be willing to change permissions to 777 for administration then back to something tighter but I'm not comfortable just leaving it open the rest of the time. Still open for suggestions. Thx.

 

[enricodias4654]

Not all files need to be 777, but applying 777 in files and folders are not a security issue, it just means that any user in your server may write to those files. If you use cpanel or any other control panel, other users outside your cpanel account wont be able to access your files regardless of the chmod.

The script needs to write to the following files/folders:

/cache
/cache/*
/logs
/logs/*
/core/cache
/core/cache/*
/core/cache/js/*
/core/cache/css/*
/core/logs
/core/logs/*
/files
/files/*

 

[adam]

Hi ppal6426,

As enricodias4654 says, CHMOD 777 isn't a security issue. If you can use 755 then use that instead, some servers will only allow writing with 777, some block 777. It all depends on how the server is configured.

CHMOD is more important in a shared hosting environment (non deciated), although again it depends how the environment is configured. This post may help:

http://www.simplemachines.org/community/index.php?topic=2987.0

Thanks,
Adam.

 

[david6510]

755 is much better than 777

if you are using Ubuntu, just use

chown 33:33 /path/to/your/yetishare -R