PHP From ZeroModern PHP course

deployment and operations

Filesystem Permissions

Filesystem permissions determine what the PHP process, deploy user, web server, and worker can read or write. Use least privilege and keep writable paths narrow. Granting broad write access may make one deployment error disappear while allowing a compromised process to change far more than it needs.

Map Each Runtime User

  • Identify runtime-writable cache, log, session, and upload paths.
  • Keep source and configuration read-only to the runtime where practical.
  • Use separate users or groups deliberately.

Prove Required Writes And Denials

  • Deploy permissions in automation.
  • Verify writes where required.
  • Verify denial outside writable paths.

Avoid World-Writable Workarounds

  • World-writable directories hide ownership problems.
  • Wrong deploy ownership causes runtime failures.
  • Permissions differ between CLI and FPM users.

Writable Paths

runtime read-only:
- source code
- config templates

runtime writable:
- var/cache
- var/log
- storage/private/uploads

Test permissions as the actual runtime user, not only as an administrator. CLI commands, FPM, scheduled tasks, and queue workers may run under different users and expose different failures.

Practice

Practice: Map Runtime Permissions

Map the read and write requirements for a PHP app with cache files, logs, and private uploads. Include one test that proves an unrelated source file cannot be modified by the runtime.

Requirements

  • Identify runtime-writable cache, log, session, and upload paths.
  • Keep source and configuration read-only to the runtime where practical.
  • Use separate users or groups deliberately.
  • Deploy permissions in automation.
  • Verify writes where required.
  • Verify denial outside writable paths.
Show solution

Keep application source and configuration read-only to the runtime where practical. Grant write access only to deliberate cache, log, session, and private-upload paths. Configure ownership and groups during deployment rather than fixing failures with world-writable directories.

Test as the FPM or worker user: required writes should succeed, while modifying an application source file should fail. Repeat the check for CLI jobs when they run under a different account.