That warning is not the same as "permissions". On most servers, you don't need to set permissions at all, because permissions are always read+write for the "owner" of the directory. The warning above is for public visibility, because you want /config/config.user.json to not be accessible from the web. From Apache, it's done in the .htaccess:
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
It's not related to permissions, which are still read+write for config dir and files within.
I created a nginx config sample in the link below, which is tried and tested, although you may need to adjust paths based on your own server.
https://gist.github.com/mjau-mjau/6dc19 ... e566a8457b
The option that blocks public (web) access:
# Prevent web access to X3 /config and /_cache directories
location ~ /(config|_cache) {
deny all;
}
Not related to file/folder read/write permissions on the local file system.
I hope you solve it.