0

I'm on a LEMP VPS with the following setup;

cd /home/$USER/public/myDomain.com        # change directory to myDomain.com
chown -R nginx:nginx .                    # change file ownership
find . -type d -exec chmod 750 {} \;      # change permissions for directories
find . -type f -exec chmod 640 {} \;      # change permissions for files
chmod 400 wp-config.php                   # change permission for wp-config

The problem is I cannot get into "myDomain.com" folder without logging in as root. And also, I cannot run wp-cli as $USER, I have to run as follows;

sudo -u nginx wp <wp-command>             # running wp-cli as user `nginx`

So, as the title says, what is the security-wise setup for file ownership & permission in a LEMP VPS.

Nick
  • 1
  • 1

1 Answers1

0

This has been fully covered under NGINX and PHP-FPM. What my permissions should be?.

Essentially:

  • Always have a site-specific user for security purpose, and that, for convenience is named after your domain name, e.g. for example.com, create an example user.
  • Set up NGINX to be member of site-specific usergroup: usermod -a -G example nginx
  • Now you can secure things as needed by giving chmod to user bit where PHP needs to read/execute files, and removing group chmod bit where NGINX does not need to access

With the suggested setup chmod 400 for wp-config.php will result in read-only access to configuration, only to the site user (and NGINX won't be able to serve it, which is good).

Regarding where files should be stored

Provided that there are: nick (sudo user), and example user (site-specific)...:

Website files should be either moved to a user-agnostic location (e.g. under /var/www/example.com). Or (slightly worse) be put under the website user's homedir, e.g. /home/example/example.com.

If you intend to use a single SSH user for connections, you can simply change to a user-specific user at will. E.g. if you prefer to always connect with nick, but sometimes work with example.com, you would change to website user by sudo -iu example.

Storing website files in a home directory of a sudo-able user doesn't sound secure and is least preferable:

  1. if the website files are owned by nick (and you won't have example user at all), should the website be hacked, they can gain administrative access to the entire server
  2. if the website files are owned by example, the only way it will work is by lowering restrictions on /home/nick from 0700 to 0750, at least).

FHS-blessed location for served files is actually /srv/ which is arguable, but is anyway better than homedirs.

Danila Vershinin
  • 4,738
  • 3
  • 16
  • 21
  • I'll have 3 users. `root`, `nick` (sudo enabled) & `example` (sudo disabled). Website folders are in `/home/nick/public/example.com`. So, `example` should not have `ssh` access and do not need `home` directory. (i.e. `useradd example -M`). Am I right? And when I `ssh` as `nick`, can I access with `cd` into `example.com` folder? Can I run `wp-cli` without `sudo -u example`? Thanks. – Nick Oct 23 '20 at 09:52
  • Having 3 users (`root`, a sudo user, and a website user is fine). But do *not* put one user's file under the home directory of the other. Website files should be either moved to a user-agnostic location (e.g. under `/var/www/example.com`). Or (slightly worse) put them under the website user homedir, e.g. `/home/example/example.com`. Then simply always have a habit of connecting as `example` user (Filezilla, SSH, etc), when you are to make some website related work (using `wp` CLI or whatever). Connect in SSH as the `nick` user (your sudo user) when you intend to do server-side administration. – Danila Vershinin Oct 23 '20 at 11:03
  • Since I already put my website files under `/home/nick/` and I prefer to use single `ssh` user, can I add sudo user to the group? i.e.`useradd -a -G example nick`. Will it work? If it works, what would be the disadvantages of doing it? – Nick Oct 23 '20 at 12:05
  • See the updated answer. – Danila Vershinin Oct 23 '20 at 12:35
  • I move my folder to `/srv/example.com` & edit `nginx.conf`. My site is working properly. When I do `chown -R example:example .` , site went down saying `No input file specified`. – Nick Oct 23 '20 at 17:39
  • I guess you were not reading the linked article thoroughly enough. Your issue indicates that your PHP-FPM pool is not configured with `example` user. Depending on your specific NGINX configuration also, the `nginx ` user might require access to PHP files (namely for things like `if (!-e $request_filename)` which are good to be lost as they are evil). Finally, of course you need proper chmod on the parent directory for `example` user to be able traverse all the way to site files. Which means chmod 0755 for `/srv` if it is owned by `root`, etc – Danila Vershinin Oct 23 '20 at 17:59
  • I put everything in subdirectories of `/srv/www`. `/var/www` is a system directory and system packages install stuff there. I do not want my stuff to conflict with any system installed files. Also `/srv/www` will have correct SELinux contexts for serving web files. – Michael Hampton Oct 23 '20 at 18:09
  • @DanilaVershinin `/srv` is already owned by `root` with `755` permission. I replaced all`nginx` with `example` in `/etc/php/7.3/fpm/pool.d/example.com.conf`. Including `user = example` & `group = example` which is not mentioned in the linked guide. But, I didn't touch this line `listen = /run/php/php7.3-fpm.sock`. – Nick Oct 23 '20 at 18:48