nginx & file permissions
I'm running nginx on Debian Lenny. I have many people on the box and they all have "http" directories in their home folders, and I have nginx vhosts configured for those.
The problem is: how do I make it so that only the user and nginx can read the files inside the user's home directories?
Solution 1:
There are different options for this, but one option would be to make the permissions in the http folder so group has read only and the group is the user's group (i.e. kbrandt). Then just add nginx to the kbrandt group. The downside to this route is that if the user's group has access to other things the nginx user could theoretically read it if that http directory / vhost is "broken out" of.
Solution 2:
Make sure that the "http" directory permission will be at least "1750".
The ownership should be like "username:nginx", recursively starting from the "http" directory.
Just install OnDir http://swapoff.org/ondir.html and configure it properly. You may also combine it with a simple BASH script that executes it via a cronjob. As an example to start your script, you may use the following lines below to develop for your own needs.
chmod 1750 /home/username/http
find /home/username/http -type d -exec chmod 1750 '{}' ';'
find /home/username/http -type f -exec chmod $PERMFILE '{}' ';'
chown -R username:nginx /home/username/http