Laravel/PyroCMS Webserver and PHP Composer Permissions

Question

Could anyone help me with some unix permission stuff? I’ve been struggling with it for months now and can’t get it quite right.

My web server is running as www-data in the www-data group and I do my composer stuff as a user called finn with sudo privileges (but I definitely don’t sudo composer :joy:).

From what I read, it is often easier for a user to own all the files/directories but for the user to be in the www-data group, so to that effect I have written a bash script:

#!/bin/bash
sudo chown -R finn:www-data /srv/pyrocms
sudo usermod -a -G www-data finn
sudo find /srv/pyrocms -type f -exec chmod 664 {} \;
sudo find /srv/pyrocms -type d -exec chmod 775 {} \;
sudo chgrp -R www-data storage bootstrap/cache
sudo chmod -R ug+rwx storage bootstrap/cache

Where the aim is to 1. Make me own everything 2. Add me to the www-data group 3. Set read/execute permissions 4. Change the group to www-data for the all important storage and bootstrap/cache 5. Give me and the www-data group read/write/execute permissions on storage and bootstrap/cache

The problem! After doing composer update as the finn user I often get problems where the web server cannot write to cache files in storage/streams/{site-slug}/cache/ and it kicks the bucket throwing 500 errors.

What can I do to fix this?

Answer 1

Since you already have sudo privileges and you're using sudo, it may be easier to login as www-data user and do all tasks as www-data. There will be no problems with privileges if everything will be owned by www-data:

sudo su -s /bin/bash www-data
composer install

---

Alternatively (and probably better) option would be to create dedicated user (like www-finn) and always run PHP as www-finn. It should be pretty easy to achieve, if you're using php-fpm for running PHP processes for handling web requests:

[www-finn]  
user = www-finn
group = www-finn
...
listen.owner = www-finn
listen.group = www-finn

Add www-data to www-finn group so webserver will have access to www-finn files. And then make www-finn owner of your web app:

usermod -a -G www-finn www-data
sudo chown -R www-finn:www-finn /srv/pyrocms

Answer 2

You should run composer create-project pyrocms/pyrocms pyrocms from /home/finn/srv folder and under finn and definitely NOT sudo user (finn may be sudoer or not it is don't matter).

PHP-FPM pool config:

[finn]
user = finn
group = finn

listen = /run/php/finn-fpm.sock
listen.allowed_clients = 127.0.0.1

listen.owner = www-data
listen.group = www-data

Nginx host config:

location ~ [^/]\.php(/|$) {
  fastcgi_param     SCRIPT_FILENAME $document_root$fastcgi_script_name;

  fastcgi_pass      unix:/run/php/finn-fpm.sock;
  fastcgi_index     index.php;
  include           /etc/nginx/fastcgi_params;
}

Then you may not change any permissions under your finn unix user, but if there would be troubles, just run next under finn user:

find /home/finn/srv/pyrocms -type f -exec chmod 644 {} \;
find /home/finn/srv/pyrocms -type d -exec chmod 755 {} \;
chmod -R /home/finn/srv/pyrocms/storage 777
chmod -R /home/finn/srv/pyrocms/bootstrap/cache 777
chmod -R /home/finn/srv/pyrocms/public/app 777

Also, please notice about you would need sudo only for edit your configs under /etc folder.