Permission Configuration for Nginx, PHP‑FPM, and MySQL on Linux Servers

Typically, web applications run on Linux distributions such as CentOS, Ubuntu, or Debian. Proper permission control for services like Nginx, PHP‑FPM, and MySQL is crucial because each service has different directory permission requirements; insufficient permissions cause runtime errors, while overly permissive settings expose the system to attacks.

1. Nginx Permissions

Nginx itself does not parse PHP; it serves static files directly and forwards PHP requests to the PHP‑FPM interpreter. Therefore the code directory must grant both Nginx and PHP the necessary rights.

Running Nginx as the root user is insecure because a compromise would give an attacker full system control. Setting the directory to rwxrwxrwx (777) is also unsafe because any web visitor could modify the files.

The recommended approach is to create a dedicated user group (commonly named www ) and assign the required permissions to that group. The Nginx master process runs as root, but its worker processes run as the www user.

Example nginx.conf snippet:

<code>user www www;</code>

You can verify the running processes with:

<code>ps aux | grep nginx</code>

2. PHP‑FPM Permissions

PHP‑FPM also starts with a root master process, but its worker pool runs under a non‑privileged user. Edit the etc/php-fpm.conf file and add the following lines:

<code>user = www
group = www</code>

After reloading PHP‑FPM, you can check the user of the PHP processes:

<code>ps aux | grep php</code>

3. MySQL Permissions

MySQL runs under its own mysql user. When PHP connects to MySQL, you simply provide the MySQL username and password; there is no need to run MySQL under the www user because the data layer should be isolated from the application layer for security.

MySQL user management (creating users and granting privileges) is performed inside the MySQL service to control which PHP scripts can access which databases.

4. Summary

Configuration snippets to apply the discussed permissions:

<code>user www www;               # nginx.conf

user = www
group = www               # php-fpm.conf

drwxr-xr-x                # directory permission (755)</code>

Using a dedicated www user/group ensures that the web stack runs with the minimum required privileges, reducing the attack surface while preventing permission‑related runtime failures.