To help with permissions, we can do a setup similar to Forge, where user "forge" runs our applications and deploys it.
This has two steps:
- Set code file ownership as the user you select
- Set PHP-FPM to run as that user
- Allow user "forge" to reload PHP-FPM
Code Setup
First we'll create a user "forge" (I chose forge, but you can create any username you want).
# Create user + password
sudo adduser forge
# Move code to myapp user home directory
sudo mv /var/www/myapp /home/forge/myapp
sudo chown -R forge: /home/forge/myapp
PHP-FPM
Edit /etc/php/7.1/fpm/pool.d/www.conf
and set the user/group of PHP to run as user forge
.
user = forge
group = forge
Then restart PHP when that change is saved:
sudo service php7.1-fpm restart
Sudoers
If we automate deployments, then it's likely we'll want to reload PHP-FPM when we're done. This requires sudo
, but I don't really want to allow user forge
to run any command, and since we're automating it, we don't have the opportunity to input the user's password.
We can create a sudoers config file to allow this, however:
sudo visudo -f /etc/sudoers.d/php-fpm
Add the following content:
forge ALL=NOPASSWD: /usr/sbin/service php7.1-fpm reload
This allows user forge
, when logged in from any host, to run the service php7.1-fpm reload
command using sudo, without requiring a password.
sudo su forge
sudo apt-get update # requires password
sudo service php7.1-fpm reload # works without a password!