Re: Webserver user/group

[Frédéric Fauberteau <triaxx%NetBSD.org@localhost>]

Le 07/04/2020 à 02:16, Greg Troxel a écrit :
> Frédéric Fauberteau <triaxx%NetBSD.org@localhost> writes:
> 
>> If I run nginx as nginx user and php-fpm as fpm user, I get permission
>> denied errors. It is probably a problem in my own configuration.
> 
> It sounds like you have found a way to deal with this.
> 
>> But I did not suggest to add a dedicated user for php-fpm. It was just
>> an example to illustrate my point. My proposition was to declare
>> WWW_USER/WWW_GROUP for need of packages that require files owned by
>> the user that runs the webserver. I don't find very consistent to
>> write APACHE_USER=nginx or APACHE_USER=lighttpd because there is no
>> relation to apache at all. However WWW_USER=nginx sounds better for
>> me. If we defined WWW_USER=${APACHE_USER}, it does not change the
>> default policy. I can cite another example: www/php-piwigo uses
>> APACHE_USER to set file ownership to www. This behavior appears to me
>> as a the remainder of a time where everyone used Apache httpd (I used
>> too). But maybe I am totally wrong and it is an intentional policy. In
>> this case, I don't touch anything.
> 
> I didn't misunderstand you.  I was really trying to ask if what you
> proposed was necessary, particularly for fpm where there can be a
> separate user.

Particularly for fpm, no. Thanks to these discussions, I have now FPM_USER=fpm and FPM_GROUP=www in my mk.conf.

> It seems like after you figured out how to have each program have its
> own logs, there might not be any need for even group writability?

Right.