I tried to search about this question before, but there seems to be nowhere where it is explained thoroughly, mostly only pieces of problem such as app/storagepermission has not been set so webserver can write file, but my problem seems bigger and more fundamental, I hope someone can explain thoroughly how this should be setup, preferably without needing to set permission to 777.

之前也搜索过这个问题，好像没有什么地方讲的很透彻，主要是app/storage权限等问题没有设置好webserver可以写文件，但是我的问题好像更大更根本，希望有人可以彻底解释这应该如何设置，最好不需要设置权限777。

So my stack is Ubuntu 14.04, PHP 5.6with PHP-FPMbecause I use nginx 1.4.6and I use Laravel 4.2as framework, ow and one more I use Gitas my versioning tool. So what is the necessary step-by-step to allow the following:

所以我的堆栈是Ubuntu 14.04、PHP 5.6和PHP-FPM，因为我使用nginx 1.4.6，我使用Laravel 4.2作为框架，还有一个我使用Git作为我的版本控制工具。那么什么是必要的逐步允许以下内容：

1. Setting the initial project, Git and Nginx:

   So as far as I know, Nginx is set up to use username www-dataas default right? Does it means that I have to assign my user e.g. kevinto the group www-data? When I am initialize git, create the project using composer, set up SSH public/private key, do I need to belong to the group www-dataor I have to be sudoor what? In my production server, I tried using sudofor setting up everything somehow it makes it easier to do all the thing above, but is it the best practice?

2. Making app/storagewritable for webserver:

   I think this is the second and most vital for Laravel, because unless this works Laravel won't be running, my knowledge is that this folder has to be writable by the webserver (nginx), so I need to set this to sudo chown -R www-data:www-data app/storageand sudo chmod -R 664 app/storageright? But somehow this doesn't seem to work all the time because during my development sometimes it will tell that a cache of a view cannot be written into the app/storagefolder, so in the end I has to set it to 777or 775if I'm lucky.

3. Public folder, or place of my assets

   Here I have some inconsistency too, I have set it up at the end to 777to ensure that all my files can be accessed by nginx. Sometimes nginxwill tell me that some image in my asset folder seems to be forbidden and it will only return HTTP 200 if I either set to 777or change the group to www-data:www-data, do I have to change the permission or group for every image that I created from Gimp, Photoshop, or when I downloaded from Dropbox or from my email when my graphic designer design new icons?

4. File Upload

   So somewhere around the time, people will be able to upload for example their profile picture, or when I post a blog I can upload a picture, it means that at some point the file upload script will move the file from the /tmpfolder to my publicfolder, it may need to only write into a subdirectory in publicor maybe sometimes it needs to create a folder based on a certain idand move the file into the directory, most of time I will get an error that the directory seems not to be writable or some permission error as such during of the execution of the script. Does this mean that the PHP processhas to be run with certain permission too? Or does it mean that the directory has to have a certain permission? Does this problem relate to the Nginx serviceor does it relate to the PHP process?

   I have the experience to use packages such as roumen/sitemapor jlapp/swaggervel, they seems to use the same Facade File, but somehow they don't have any problem with permission, I try to replicate their code behaviour but I hit the problem above.

5. Queue, Artisan, other Command-Line based executed script

   Last, are Command-Line based executed script, does this behave the same as script that executed from interaction with webserver, such as the file upload above, or do I need to prepare for other inconsistencies?

1. 设置初始项目，Git 和 Nginx：

   据我所知，Nginx 设置www-data为默认使用用户名，对吗？这是否意味着我必须将我的用户分配kevin给该组www-data？当我初始化 git 时，使用 Composer 创建项目，设置 SSH 公钥/私钥，我是否需要属于该组www-data或我必须属于sudo还是什么？在我的生产服务器中，我尝试使用sudo它以某种方式设置所有内容，这样可以更轻松地完成上述所有操作，但这是最佳实践吗？

2. 使app/storage网络服务器可写：

   我认为这是 Laravel 的第二个也是最重要的，因为除非这个工作 Laravel 不会运行，我的知识是这个文件夹必须由网络服务器（nginx）写入，所以我需要将它设置为sudo chown -R www-data:www-data app/storage和sudo chmod -R 664 app/storage对吗？但不知何故，这似乎并不总是有效，因为在我的开发过程中，有时它会告诉我无法将视图的缓存写入app/storage文件夹，所以最后我必须将其设置为777或者775如果我很幸运。

3. 公共文件夹，或我的资产的地方

   这里我也有一些不一致的地方，我在最后进行777了设置，以确保nginx可以访问我的所有文件。有时nginx会告诉我，我的资产文件夹中的某些图像似乎被禁止，如果我将组设置为777或更改为www-data:www-data，它只会返回 HTTP 200 ，我是否必须为我创建的每个图像更改权限或组Gimp、Photoshop，或者当我的平面设计师设计新图标时从 Dropbox 或电子邮件中下载？

4. 上传文件

   所以在某个时候，人们将能够上传例如他们的个人资料图片，或者当我发布博客时我可以上传图片，这意味着在某个时候文件上传脚本会将文件从/tmp文件夹移动到我的public文件夹，它可能只需要写入一个子目录，public或者有时它需要基于某个文件夹创建一个文件夹id并将文件移动到该目录中，大多数时候我会收到一个错误，该目录似乎不可写或某些脚本执行期间的权限错误。这是否意味着PHP 进程也必须在特定权限下运行？还是说目录必须有一定的权限？这个问题是否与Nginx服务有关还是与PHP 进程有关？

   我有使用诸如roumen/sitemapor 之类的包的经验jlapp/swaggervel，他们似乎使用相同的 Facade File，但不知何故他们没有任何许可问题，我尝试复制他们的代码行为，但我遇到了上面的问题。

5. 队列，工匠，其他基于命令行的执行脚本

   最后，是基于命令行的执行脚本，它的行为是否与通过与网络服务器交互执行的脚本相同，例如上面的文件上传，或者我是否需要为其他不一致做准备？

Thank you, if someone can explain this to me. I think if I figure it out, I will create a blog post or something, appreciate it guys! :D

谢谢，如果有人可以向我解释这一点。我想如果我弄明白了，我会写一篇博文什么的，谢谢你们！:D