app/storage chmod 777 safe?

Nope, that's not safe.

@xdega This might help you

https://laracasts.com/discuss/channels/general-discussion/laravel-framework-file-permission-security

@adrian7 what do you have your storage set to? I've only been able to get it working with 777, maybe I missed something? I get the same 500 @xdega gets when I try to access the application if I don't have the settings put to that.

Shaun

Change ownership (recursively) to the same system user that the webserver (or php-fpm/hhvm) is running as. Often this is www-data. Then you should be able to safely set it to 700 for all of the directories, and 600 for all of the files in those directories.

744/644 would also work and be secure enough, but if you have ownership set up correctly you can completely prevent all access to any other user, which is the most secure option.

Ok. I finally got around to setting those permissions. 700 for directories and 600 for files still gives me 500 server error. I also went ahead and set the chown to "nginx" which I believe to be the web user for nginx on centos7.

What would be my next step in troubleshooting? The problem seems to revolve around permissions.

@xdega try running a php script that just does a touch('/tmp/my-test-file'); - then check the owner of the file just to confirm if it's nginx or not. If it isn't you can chown the directory to the right owner.

@xdega If you're running nginx, then the directories and files need to be owned by the user that php-fpm runs as, not the user the nginx process runs as!

OK this may take a while. I ended up screwing my nginx config. I accidentally created 2 lines defining root. And even when I fixed the config, it still gives me the error.

When I look at all the users on my box, the only web user appears to be nginx. I am pretty sure that php-fpm is just being tunneled through the nginx user. I will look at this more for clarification once I get my config figured out.

...of course, the problem was the missing semi-colon of doom!

I seem to be having issues running the touch command. Perhaps it is just my php setup. /shrug

Very odd. I checked out my php-fpm.d and the user and group are defined as apache. How does that even work? My webserver is nginx!

And that fixed'ed it! An odd setup, but perhaps it will make things more secure. It's the last thing a hacker is going to expect, after probing my system and discovering the web-server is nginx. Thank you all for your help.

@xdega It's just a name of the user or group ID and not coupled to the apache web server :-) My php process runs as user _www. Allow either the user or the group apache write access to your storage directory (chmod 755, and chown or chgrp) and you should be good to go.

I just used "chown apache:apache" on the directory and set the permissions as previously suggested. Everything is all working now. :D