when I create a file ".user.ini" owned by root inside a /web folder, this file can be read by the browser. Even when this file has 0644 permissions. I create a file "test.php" Code: <?php echo shell_exec('whoami'); > and it returns "web10". Then, if the browser has the user web10, Why is there access to files owned by root, and with 0644 permissions? I can create one ".ini" files restriction inside htaccess to avoid access. Although I don't know if this is a behaviour of the php-fpm, or perhaps there is a permission problems to be fixed Sorry, I don't want to flood this subforum with too many questions. It is the first time I use php-fpm. My previous ISPC were always cgi with only one php, I'm not sure of the cause of some errors. Hope this wil be the last one!
You created a file on a Linux system and gave that file global read permissions, which means any user of the system can read it. Example: Code: root@server1:/tmp# touch test.txt root@server1:/tmp# chmod 644 test.txt root@server1:/tmp# ls -la test.txt -rw-r--r-- 1 root root 0 Mar 12 13:12 test.txt as you can see, 0644 translates to the permissions: The user root can read and write the file The group root can read the file Everyone else can read the file So any user of the system must be able to read the file when you set it to be readable by 'other'. If you want to make the file readable by the user and group only, you must use chmod 0640 and not 0644.
And as a side note, custom PHP settings should not be added into a .user.ini file, better add them in the custom php.ini field of the website, see options tab of the site.