So I am trying to set up a webserver which will use nginx to serve a static site (for now). I set up a git repo that I want to push to in order to make deployment easy (using this guide: https://www.digitalocean.com/community/tutorials/how-to-use-git-hooks-to-automate-development-and-deployment-tasks).
I have done some reading about the importance of restricting directory/file permissions when setting up any server, but I am confused about how I should set them up exactly and how different permissions put nginx/my server at risk.
According to this thread: on serverfault:
Quote: Originally Posted by druuna View Post /var/www and all it files/subdirectories should be owned by the user and group that runs apache (apache:apache for example)!!
NO! ABSOLUTELY NOT!
If you do that, you allow Apache and any scripts it runs, to modify existing files and to create new ones. Any slight programming bug in any of your scripts, or a slight error in Apache configuration (allowing anonymous DAV, for example) will expose your Apache server for malicious use.
If you run a known Apache server, you'll see in the logs that there are people out there that scan servers for known script vulnerabilities. If you happen to have one of those in your server, and you're using the configuration Druuna suggested, your server will be subverted. At minimum, it will be used as a drop-box for illicit files, or for spreading malware or viruses; at worst, they'll upload a script that uses an unpatched security vulnerability to get full control of your server. At that point, you're screwed: only a full reinstall from known good sources will give you back the control of your server.
The accepted answer to this question on serverfault seems like a good direction, but as noted in the "Maintained by a group of users" section:
One thing to be careful about with this solution is that the user owner of new files will match the creator instead of being set to www-data. So any new files you create won't be readable by Apache until you chown them.
So, is this answer right? Is it applicable to my situation (I own the server, only hosting one static site...)? How do I overcome the issue of having to separately chown the new files?
Could someone give me further breakdown on how a compromised nginx webserver could compromise the whole host server and how that relates (or doesn't) to file/directory permissions? I am finding very scattered/contradictory/non-concise/non-comprehensive information by googling.
Thanks.
