This article discusses the recommended way (AGIX recommended way) to permission your web root (document root) for an Apache or NginX server. We’ve found this method to be effective and acceptable for sysadmins and developers.
A requirement of this solution is that the file system has ACL’s enabled. ACL’s will allow you to set multiple permissions for different users. This is a key requirement given that developers will possibly log in as them selves as part of teams and therefore there could be multiple developers logging in to git or work on files as they require.
The following commands will ensure that the “deployment” user, members of the “developers” group and NginX/Apache have access to the document root.
For NginX:
# First make the “/var/www/example.com” read/only for the NginX user and group and read/write for the other key users and groups.
setfacl -R -b -m user:deployment:rwx -m d:user:deployment:rwx -m user:root:rwx -m d:user:root:rwx -m group:developers:rwx -m d:group:developers:rwx -m group:nginx:rx -m d:user:nginx:rx /var/www/example.com
# Second make the “/var/www/example.com/shared” read/write for the all key users and groups.
setfacl -R -b -m user:deployment:rwx -m d:user:deployment:rwx -m user:root:rwx -m d:user:root:rwx -m group:developers:rwx -m d:group:developers:rwx -m group:nginx:rwx -m d:user:nginx:rwx /var/www/example.com/shared
For Apache/HTTPD:
# First make the “/var/www/example.com” read/only for the NginX user and group and read/write for the other key users and groups.
setfacl -R -b -m user:deployment:rwx -m d:user:deployment:rwx -m user:root:rwx -m d:user:root:rwx -m group:developers:rwx -m d:group:developers:rwx -m group:apache:rx -m d:user:apache:rx /var/www/example.com
# Second make the “/var/www/example.com/shared” read/write for the all key users and groups.
setfacl -R -b -m user:deployment:rwx -m d:user:deployment:rwx -m user:root:rwx -m d:user:root:rwx -m group:developers:rwx -m d:group:developers:rwx -m group:apache:rwx -m d:user:apache:rwx /var/www/example.com/shared