I have a website being served by Nginx and I've recently setup travis builds and deployments for it.
Nginx is running the website as www-data
user. I've created an user deploy
so that Travis can login on the server through SSH and deploy the website. Deployed files are being stored with deploy
user as owner, which is different than the user that is running the website (www-data
).
I'm afraid of having permissions problems running the website with this setup. Should I use the same user www-data
/deploy
to run and deploy the website? Using this approach, will I have problems by allowing the user running the website to login remotely through SSH?
Please enlighten me regarding this.
Best Answer
Actually, the files should not be owned by
www-data
because that means Nginx can modify them, which in most cases is not what you want (unless it is a CMS that needs to self-update.)So all the files should be owned by
deploy
.If it is a CMS and you need to write in a few folders, then those very few (one?) folders should indeed be own by
www-data
. That can cause a problem if the deployment does the very first installation as well. Either offer the user to run a manual step, or have a special tool do that job, but if it is a one time thing, just do it manually, it's going to be easy enough (especially because you only have one folder like that, right?) The CMS can also tell you if there is such a problem and stop instead of serving pages. That way you know immediately and you can avoid having problems when you try to upload a file or some similar action.Of course, files are not owned by
www-data
but they need to be readable bywww-data
. So either make it readable by others (-rw-r--r--
) or look into setting the group towww-data
(-rw-r-----
). In most cases, I've seen people not even take the risk of using the group. They just let others access the files because it is safer that way.Of course, it also means that Nginx would have no access rights to the
deploy
user and group.