July 19, 2017

A Forge-Like Setup

^ Ad space to help offset hosting costs :D

To help with permissions, we can do a setup similar to Forge, where user "forge" runs our applications and deploys it.

This has two steps:

  1. Set code file ownership as the user you select
  2. Set PHP-FPM to run as that user
  3. Allow user "forge" to reload PHP-FPM

Code Setup

First we'll create a user "forge" (I chose forge, but you can create any username you want).

# Create user + password
sudo adduser forge

# Move code to myapp user home directory
sudo mv /var/www/myapp /home/forge/myapp
sudo chown -R forge: /home/forge/myapp

PHP-FPM

Edit /etc/php/7.1/fpm/pool.d/www.conf and set the user/group of PHP to run as user forge.

user = forge
group = forge

Then restart PHP when that change is saved:

sudo service php7.1-fpm restart

Sudoers

If we automate deployments, then it's likely we'll want to reload PHP-FPM when we're done. This requires sudo, but I don't really want to allow user forge to run any command, and since we're automating it, we don't have the opportunity to input the user's password.

We can create a sudoers config file to allow this, however:

sudo visudo -f /etc/sudoers.d/php-fpm

Add the following content:

forge ALL=NOPASSWD: /usr/sbin/service php7.1-fpm reload

This allows user forge, when logged in from any host, to run the service php7.1-fpm reload command using sudo, without requiring a password.

sudo su forge
sudo apt-get update # requires password

sudo service php7.1-fpm reload # works without a password!

All Topics