New User/Group for New Website on ubuntu

June 19, 2017 2.8k views
LEMP Ubuntu 16.04
landed
By:
landed

I did this..
https://www.digitalocean.com/community/tutorials/how-to-host-multiple-websites-securely-with-nginx-and-php-fpm-on-ubuntu-14-04

It makes sense to me, much better than doing what I see advocated here (DO forums) a lot.
make all the websites www-data/www-data..
This is better than root but all the websites can access each others files. So I wanted a new group and user for each website. The websites are php CMS sites.

So the main issue I get is the folders are not accessible when I set the owner and group to
mysite1:mysite1

I don’t think the folder permissions are wrong at this point because when I set it to www-data:www-data I have working sites.

Thanks I am thinking there might be some step missing that gives mynewgroup the right access in the tutorial it seems like I just create the group but I feel I need to specify some rights for this group?

Thanks

1 comment
  • landed June 19, 2017

    In fact looking at the permissions for the directory it shows
    drwxr-xr-x 3 style-review style-review..etc
    after doing ls -ld

    So
    User is rwx
    Group is r-x
    Other is r-x

Log In to Comment
3 Answers
jtittle MOD June 19, 2017

@landed

By default, PHP-FPM runs as www-data, so if you’re wanting to set up multiple sites, you’ll need to copy over the default configuration file and modify it to suite your new user and group.

You can find the default PHP-FPM configuration file here:

/etc/php/VERS/fpm/pool.d/www.conf

Where VERS is your PHP version (i.e. 5.6, 7.0, or 7.1).

What I normally do is simply rename that file to the first site that I’m configuring, so for this example, I’ll use domain.com and PHP 7.0 as the version.

mv /etc/php/7.0/fpm/pool.d/www.conf /etc/php/7.0/fpm/pool.d/domain.com.conf

Now I’ll open up the configuration file:

nano /etc/php/7.0/fpm/pool.d/domain.com.conf

On line 4 you’ll see [www] – I normally change that to the user that will be associated with my site, so if my user and group are user1, then that becomes [user1].

Now on lines 22 and 23, you’ll see:

user = www-data
group = www-data

We’ll change that to our user and group, so for user1, it’d look like:

user = user1
group = user1

Next, on line 35, you’ll see:

listen = /run/php/php7.0-fpm.sock

I prefer using TCP as it’s often easier to configure, so I change the socket path to a TCP connection, like so:

listen = 127.0.0.1:9000

For each new configuration file, you’d up the port by 1, so it’d become 9001 for the next site, 9002 for the next, and so on.

From there, that’s all the changes you need to make in this file, so we can save and close, then restart PHP-FPM using:

service php7.0-fpm restart

If you’re using 5.6 or 7.1, simply modify the above command to suite.

When using TCP connections, you’ll need to modify one more thing in your NGINX server block and that would be fastcgi_pass. You’ll need to make sure the TCP address is used in place of the socket.

So what we’d end up using is:

fastcgi_pass 127.0.0.1:9000

As with the PHP-FPM pool file, you’ll up that port to match each configuration file.

You would then restart NGINX for the changes to take.

Once you’ve done all that, then all you need to do is make sure permissions are correct on the files. So for this example, I’d make sure all files and directories in my home path are owned by user1.

If my home directory is:

/home/user1/htdocs/public

Then I’d use chown to recursively set ownership:

chown -R user1:user1 /home/user1/*
Reply
  • landed June 19, 2017

    Yes followed you as in the tutorial apart from the TCP method if listening. I do feel that I get the pooling working as I see the process and am using my config files for each website.

    What is not working is the directories are not writable..

    I even tried to do chmod -R g+w directory/ as I was not seeing the the group had write, but alas it still didn’t work. Now I can see why people often settle for the only thing that seems to work www-data:www-data..

    • jtittle MOD June 19, 2017

      @landed

      If you are using sockets instead of TCP, you’ll need to change two more configuration lines in the pool file for each site. There’s actually two sets of user:group configuration in the file, one for sockets and one for TCP.

      You’ll need to find:

      listen.owner = www-data
listen.group = www-data

      And change www-data to your user and group, then restart PHP-FPM once again.

      • landed June 19, 2017

        In the tutorial it said that this needed to remain as www-data anyway this is the complete config file..

        [site1]
user = site1
group = site1
listen = /var/run/php/php7.0-fpm-site1.sock
listen.owner = www-data
listen.group = www-data
php_admin_value[disable_functions] = exec,passthru,shell_exec,system
php_admin_flag[allow_url_fopen] = off
pm = dynamic
pm.max_children = 5
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 3
chdir = /

        Will try what you said anyway again - thanks.

      • landed June 19, 2017

        Well I thought I had a config file - noting that the sock file came up in pink it showed it thought it was an image and so the config that I thought I was saving wasn’t hence an empty config file..I may be onto the right path - thanks

        [Edit] Cannot create a .sock file that doesn’t change to a pink entity in terminal - loosing its content..hmmm

        [Edit 2] I was trying to edit a created file - this is the wrong sock file..

jtittle MOD June 19, 2017

@landed

You may need to set permissions to reflect ownership by the www-data group since that’s the user that NGINX is running as on most default repositories.

For example, if /home/site1/htdocs is our home directory, you’d run:

chown -R site1:www-data /home/site1/*

You’d then set the previous configuration (from my last reply) back to normal, i.e:

listen.owner = www-data
listen.group = www-data

This is one reason why I normally recommend using TCP instead of sockets. With TCP, there’s no need to allow NGINX direct access to the files and directories. Instead, PHP is granted that access.

NGINX may run as nginx or www-data, or any user you define, while PHP-FPM will run explicitly as the user and group defined by 

user = www-data
group = www-data

You can use either or, though I find that sockets can be a little more problematic since it’s not always clear what you need to configure :).

Reply
  • landed June 19, 2017

    Thanks that is a good suggestion - trying that and finding my issue is now just this 

     #fastcgi_pass unix:/run/php/php7.0-fpm.sock;
 fastcgi_pass unix:/run/php/php7.0-fpm-site1.sock;

    the top one works the bottom 404’s

    • jtittle MOD June 19, 2017

      @landed

      As long as /run/php/php7.0-fpm-site1.sock is what’s defined in the pool file, it should work. Though you can tail the logs to see if there’s anything that pops up to show otherwise.

      tail -20 /var/log/nginx/error.log

      I just ran a test on a fresh Droplet with NGINX and PHP-FPM (7.0) and was able to swap out the names as long as PHP-FPM / NGINX was restarted after each change and the socket name matched both the pool file and NGINX.

      • landed June 19, 2017 
        2017/06/19 17:42:59 [crit] 19133#19133: *1 connect() to unix:/run/php/php7.0-fpm-site1.sock failed (13: Permission denied) while connecting to upstream, client: 94.2.238.187, server: localhost, request: "GET / HTTP/1.1", upstream: "fastcgi://unix:/run/php/php7.0-fpm-site1.sock:", host: "1.1.1.1"
2017/06/19 17:42:59 [error] 19133#19133: *1 open() "/usr/share/nginx/html/50x.html" failed (2: No such file or directory), client: 94.2.238.187, server: localhost, request: "GET / HTTP/1.1", upstream: "fastcgi://unix:/run/php/php7.0-fpm-site1.sock", host: "1.1.1.1"
2017/06/19 17:43:27 [alert] 19133#19133: *3 open socket #11 left in connection 4
2017/06/19 17:43:27 [alert] 19133#19133: *4 open socket #12 left in connection 5
2017/06/19 17:43:27 [alert] 19133#19133: *5 open socket #13 left in connection 6
2017/06/19 17:43:27 [alert] 19133#19133: *6 open socket #14 left in connection 7
2017/06/19 17:43:27 [alert] 19133#19133: *7 open socket #15 left in connection 8
2017/06/19 17:43:27 [alert] 19133#19133: aborting

        host swapped out for security

TechNomadAlex May 13, 2019

Though the approach of using TCP over sockets is interesting, I got the mentioned DO tutorial setup run by giving the “groups” and “others” x-permissions:

chmod go-rw /home/site1/

and

chmod go+x /home/site1/

So www-data can execute all the scripts, while the ownership is still site1:site1

@landed
Is there anywhere more info on the TCP over socket approach?
Thanx in advance!

Reply
Have another answer? Share your knowledge.

Related Questions