nginx php-fpm file and minimum folder permissions for maximum security multi user/app

Question

I have set up an nginx server nginx/1.10.2 on CentOS 7. I have configured nginx to use php-fpm PHP 5.4.16 (fpm-fcgi) (built: Nov 6 2016 00:30:57).

I use a new pool configured at /etc/php-fpm.d/piwik.conf:

[piwik]
user = piwik
group = piwik
listen = /var/run/php5-fpm-piwik.sock
listen.owner = nginx
listen.group = nginx
;listen.mode = 0660
;php_admin_value[disable_functions] = exec,passthru,shell_exec,system
php_admin_flag[allow_url_fopen] = off
pm = dynamic
pm.max_children = 5
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 3
chdir = /

The important part of nginx.conf:

location ~ ^/piwik/(.*)$ {
    root /usr/share/nginx/html;
    try_files $uri =404;
    #fastcgi_pass 127.0.0.1:9000;
    fastcgi_pass unix:/var/run/php5-fpm-piwik.sock;
    # fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    # fastcgi_param PATH_INFO $fastcgi_script_name;
    # include fastcgi_params;
    include fastcgi.conf;
    # fastcgi_param REQUEST_METHOD $request_method;
    fastcgi_index info1.php;
}

When I request http://localhost/piwik/info1.php it showns me _SERVER["USER"] piwik

So now I only have a problem setting the right permissions to folder /usr/share/nginx/html/piwik.

As I have read the user needs x permission on the whole path to traverse into the correct folder. The folder and files must be readable and for piwik some folders must be writeable. Because CentOS 7 enables SELinux by default I had to do the following commands to get write access: chcon -R -t httpd_sys_content_rw_t /usr/share/nginx/html/piwik/tmp/ systemctl restart php-fpm

I have changed the user and group to piwik. But when I set the following rights chmod 700 -R /usr/share/nginx/html/piwik/ I cannot access the files. I get permission denied error. I figured out that I need the rights 701:

drwx-----x. 13 piwik piwik     4096 18. Aug 09:49 .
drwxr-xr-x.  5 root  root      4096 16. Aug 04:27 ..
-rwx-----x.  1 piwik piwik      932  8. Jun 2015  bower.json
-rwx-----x.  1 piwik piwik    38272 11. Apr 2016  CHANGELOG.md
...
...

Please help me to understand why I have to enable the executable bit for other users.

OK, for serving static files even 775 must be set?!

Thank You.

Best regards

EDIT:

The problem is not the serving of dynamic php files. Its the serving of static files because nginx runs under one specific user.

I have found this link: https://serverfault.com/questions/370820/user-per-virtual-host-in-nginx

An useful comment was: Give the document root a group of www-data and perms 0710 when you setup the vhost (since this needs root to configure nginx, it's not a problem to have your automation also set the necessary permissions). Then the contents of the docroot just need to be o+x for directories and o+r for files.

So I think this is a good setup: nginx runs as user nginx to separate different users (apps) set the following permissions (run as root):

ls -la /usr/share/nginx/
drwx--x--x.  6 nginx nginx 4096 18. Aug 19:18 html

groupadd pydio
useradd -g pydio pydio

mkdir /usr/share/nginx/html/pydio/
chown pydio:pydio -R /usr/share/nginx/html/pydio/                       
find /usr/share/nginx/html/pydio/ -type d -exec chmod 701 {} \;
find /usr/share/nginx/html/pydio/ -type f -exec chmod 704 {} \; 
chmod 710 /usr/share/nginx/html/pydio/  

Please can anyone check?