Best way to set up permissions with nginx + php-fpm on shared hosting?

nginx debian permissions php-fpm apparmor

I prefer to use ACLs for this. For instance:

setfacl -R -m user:www-data:rx,d:user:www-data:rx /home

Gives the www-data user access to read files and traverse directories under /home, and applies the same ACL to any new files or directories created later.

Once applied, user home directories no longer have to be world-executable, (e.g. chmod o= /home/$USER) thus users can no longer read each other's files, but nginx can.

Note that if some directories need to be writable by the web server, you can set those up on a case by case basis by changing both instances of the permissions rx to rwx. For example:

setfacl -R -m user:www-data:rwx,d:user:www-data:rwx /home/user/public_html/wp-content/{cache,uploads}

Related

Deep Format of a Harddrive on a Linux System
What are the Benefits of Server Hardware? [closed]
How to Tee udp packets onto a different host
How to prevent hot linking ("image theft" / "bandwidth theft") of ressources on my site?
mysqldump prompting for password in shellscript
FTP v/s SFTP v/s FTPS
What counts as a 'large' raid 5 array?
High load average, low cpu
Wildcard DNS and subdomains
How should I securely wipe data from a hard drive?
Nginx. How do I reject request to unlisted ssl virtual server?
Server-to-Switch Trunking in Procurve switch, what does this mean?