How-To

Running php-fpm with different user group using umask

Running php-fpm with different user group using umask

Running php-fpm with different user group using umask

The aim of this tutorial is to get a working configuration for Running php-fpm with different user group using umask.
As Webserver you can choose between Apache2 and Nginx.
The Webserver (Apache2/Nginx) daemon process will run as www-data and all the requests that needs PHP processing will run as youruser:yourgroup.
We will use umask: 002. so our new created folders permissions will get 775 and files will get 664. file and directories will belong to youruser:yourgroup and so we will extend the group membership of yourgroup to our existing www-data user. This kind of setup makes it possible that each php-fpm pool and webdirectory/virtualhost can have its own user and group while we leave Webserver user:group untouched. All the steps in this tutorial i described are based on target OS Debian 8.

 

Prerequisites:

  • A working Apache2 or Nginx Webserver Installation running on Debian 8 or newer.
  • A functional PHP5-FPM Installation with PHP5 or PHP7.
  • Texteditor (vi, joe, nano) of your choice.

 

For Apache2:

vi /etc/apache2/envvars
Add following in the first line of the file:
umask 002

then restart apache2: systemctl restart apache2

For Nginx:

cp /lib/systemd/system/nginx.service /etc/systemd/system/
vi /etc/systemd/system/nginx.service
Add: UMask=0002 in [Service] section.
systemctl daemon-reload

then restart nginx: systemctl restart nginx

Now let’s change our PHP5-FPM settings by adding our custom user:group to /etc/php5/fpm/pool.d/www.conf config file:

vi /etc/php5/fpm/pool.d/www.conf
user = youruser
group = yourgroup

then we save our systemd scripts to a persistent place (prevent scripts from overwriting on system updates) to modify them:

For PHP5:

cp /lib/systemd/system/php5-fpm.service /etc/systemd/system/
vi /etc/systemd/system/php5-fpm.service
Add: UMask=0002 in [Service] section.
systemctl daemon-reload
systemctl restart php5-fpm

For PHP7:

cp /lib/systemd/system/php7.0-fpm.service /etc/systemd/system/
vi /etc/systemd/system/php7.0-fpm.service
Add: UMask=0002 in [Service] section.
systemctl daemon-reload
systemctl restart php7.0-fpm

Add www-data user to yourgroup:

usermod -a -G yourgroup www-data

Create the website base directory structure:

chown -R youruser:yourgroup /var/www/yourwebdir
chmod g+s /var/www/yourwebdir
find /var/www/yourwebdir -type f -exec chmod 664 {} \;
find /var/www/yourwebdir -type d -exec chmod 2775 {} \;

And all should function properly.

Bonus:
There is also an GECOS field in /etc/passwd which you can use for your login accounts to force the umask when creating files and directories by sftp/shell.

To add this enter following command:

chfn --other='umask=0002' YourUsername
Jules

Jules is the owner and author of ISPIRE.ME. He's a Linux System Engineer, Tech fanatic and an Open Source fan.

View Comments

  • Hi,

    Thanks you very much for this "how to".
    I search a long time before i found you tuto.

    I follow instructions and that works perfectly !

    I don't really understood what i done with systemctl & service files but i will make some researches later ;)

    Regards,
    Neoblaster.

  • Downside of this approach is if the original file gets updated the changes won't appear in your copy config file.
    The recommended way is to simply create an override file.
    e.g.
    mkdir /etc/systemd/system/php5-fpm.service.d
    vi /etc/systemd/system/php5-fpm.service.d/custom.conf
    and just add the below

    [Service]
    UMask=0002

    save and reload systemd. jobs a good'en.

    • That might be the way for most users. I preffer using own service files, since my service files differ from maintained service file mostly.

  • I'm late to the party but just wanted to say thanks, this works like a charm and is much easier than the other method of messing around with virtualhosts which has been giving me a headache for hours.

Recent Posts

HTTP/2 SSL Offloading with Hitch and Varnish

HTTP/2 SSL Offloading with Hitch and Varnish Since Chrome browsers showing you insecure warning on…

7 years ago

File changed as we read it GlusterFS issue

File changed as we read it GlusterFS issue Recently i had trouble running Backups of…

8 years ago

Running multiple instances of varnish using systemd

Running multiple instances of varnish using systemd If you have not yet found a complete…

8 years ago

HTTP/2 SSL Offloading with Haproxy and Nginx

HTTP/2 SSL Offloading with Haproxy and Nginx After HTTP/2 becoming more an more prominent regarding SSL…

8 years ago

Get Real IP with Haproxy Tomcat Jira Confluence using x-forwarded-for

Get Real IP with Haproxy Tomcat Jira Confluence using x-forwarded-for Everyone knows the Problem. Get…

8 years ago

Review TDS2 How to backtest using tick data with Metatrader 4

Review TDS2 How to backtest using tick data with Metatrader 4 in this Review TDS2…

8 years ago

This website uses cookies.