How to configure user permissions for nginx, php-fpm and mysql

Normally, the servers we run web applications on include Linux distributions such as CentOS, Ubuntu, Debian, etc. At this time, the permission control of Nginx, PHP, MySQL and other applications necessary to form the service architecture is very important. Each service has different permission requirements for the code directory. The lack of certain permissions will cause the service to be unable to read, write or run. , which lowers the permission requirements and creates the risk of intrusion and modification.

1. Web server Nginx permissions

The running framework of PHP is usually combined with Nginx to form LNMP or combined with Apache to form LAMP architecture. Here, Nginx is used as an example to describe what is needed to run the Nginx service. permissions.
We know that Nginx itself cannot parse PHP syntax, so Nginx will directly parse and return results for static files (such as HTML, etc.), but for PHP files, Nginx will transfer them to the PHP interpreter php-fpm for processing. After processing, the response is returned to the client browser.

Therefore, we need to unify the permissions required for Nginx and PHP services in our code directory.

① If the root user is used uniformly, general guest accounts will not be able to access the application. If nginx is configured to run as root, there will be a great security risk. Once attacked, the root identity will be obtained to perform everything in the system. operate.

If the permissions of the code directory are uniformly set to rwxrwxrwx, there will be a hidden danger that users can directly modify the code directory through the browser.

So the best way is to classify them into a new user group and assign the user group the necessary permissions to run Nginx and PHP to achieve permission directory management for web applications. In many cases, teams will use the www user group to manage code directory permissions and uniformly manage user www.

We can see the Nginx configuration file nginix.confThe running permissions divided in it are configured under the www user, so the Nginx child process is also executed by the www user, which can be passedps aux | grep nginx to view:

You can see that the main process of nginx is root, and the other sub-processes are all users of www

nginx.conf configuration:

2. PHP permission configuration

Same, php The running mode is also run by the main process root. The configuration in the child process pool (pool) is executed by the www user. The specific configuration is under etc\php-fpm.conf in the php root directory. Add two lines. :

user = www
 group = www

. You can also use ps aux | grep php to view the user identity used by the process:

3. Permission configuration of MySQL service

Through ps aux | grep mysql we can see that the MySQL service is running under the mysql user. The service only requires us to When the php code connects to mysql, just bring the user name and password of mysql. It does not need to be unified as www, because the data layer needs to be isolated from the business logic layer to ensure the security of the underlying data. The authorization of mysql is mainly to add new users and divide permissions in the mysql service, which is used to control different PHP businesses to connect with identities with different permission ranges to ensure data security.

4. Summary

nginx configuration:

user www www;

php-fpm:

user = www
group = www

Directory:

drwxr-xr-x 就是755

The above is the detailed content of How to configure user permissions for nginx, php-fpm and mysql. For more information, please follow other related articles on the PHP Chinese website!