Perfect /www/html permissions for non-cpanel installation


It seems every permission problem I have, I throw more chown commands at the server till the problem goes away. I built my own LEMP server (droplet) on digital ocean. I know just enough to know you can't trust the various answers here. And sometimes the guidance is too many permissions. I've learned if you run cpanel (which I don't), then 0666/0777 permissions are probably your answer. But, a DIYed lamp/lemp install would be probably more 0644/0755.

I'm intimidated to tinker and build my next XF forum and WWW server (combined same server). I'm a bit OCD in needing tight security, so, I'm looking for an approach to an ideal scheme. 'Ideal' here meaning:
A) I would finally understand rather than just throw more chown commands at it.
B) Have a good directory and owner/group structure. (my username appears all over the html folder. This seems bad).
C) Have good standard operating procedures and security for 'user' and 'service' accounts.
D) And most importantly, know I had tight security.

#1. What are all main processes an XF server needs? For example, I want to use the 'lsof' command to verify for myself what user account is running php-fpm7?

john@xenforo:/var/www/html$ sudo lsof | grep /usr/lib/php
php-fpm7. 850 root mem REG 252,1 47208 262912 /usr/lib/php/20170718/
php-fpm7. 850 root mem REG 252,1 255704 263203 /usr/lib/php/20170718/
php-fpm7. 850 root mem REG 252,1 445152 260032 /usr/lib/php/20170718/
php-fpm7. 971 www-data mem REG 252,1 59720 265382 /usr/lib/php/20170718/
php-fpm7. 971 www-data mem REG 252,1 30824 262914 /usr/lib/php/20170718/
php-fpm7. 971 www-data mem REG 252,1 47208 262912 /usr/lib/php/20170718/
---hundreds of lines were cut out---

Why even ask this? I found on another thread for 'fixing addon uploads via gui'..... use the 'lsof -i' command to find what 'user' runs the php process, so you can use the chown command properly for that user. In that post, their user was nginx. Another was httpd. When I run it above, I get both root and www-data but no nginx.

So, if I wanted to reset recursively all the permissions, and all users on my /var/www/html folder, and change owner of said processes as well, then a good understanding of which processes to check is useful. What other processes should we be checking for an XF server?

#2. What order of installing do you think is ideal for a DIY sys admin XF or www server (no cpanel)?

Using the example in #1 above from another post, one user had nginx tied to their PHP process, while I have www-data. I would think this is the result of a difference in order of setting up the server. Maybe what user account did patch udpates? Maybe one was a droplet (mine) and the other was really diy from scratch?

So, what order do you recommend for ease of repetitiveness and security?
Last edited: