17

Permissions are something that have confused for me a while with Linux. So at the minute both my NGinx and PHP-FPM instances are running with the user and group :

www-data

Is this standard? I run into trouble when I come across file uploading.

Example, a file would be uploaded both with the user and group www-data. Now, due to how I set permissions (0440) in my web application I can't login via ssh with my normal account to download those files. This can't be changed.

I was thinking of changing my nginx and php instance to keep the group, but change them to run under my user name.

What's the correct way for handling permissions here? Thank You.

The Pixel Developer
  • 847
  • 3
  • 9
  • 20

3 Answers3

14

This is how this works: When you login via FTP/SSH and upload files, they are created with your permissions. Probably your webroot is world writable (0777), that is insecure - every user in system can write something there. PHP runs with different user privileges (They are specified in PHP-FPM config, not nginx config), and as directory is world writable, PHP user (www-data) can also write there. But owner of this file is www-data, not your account. They are 2 distinct accounts in filesystem permission level.

I suggest you to create dedicated user with least possible privileges, which would own webroot directory and would be used for FTP/SSH upload AND would run php. You should change PHP-FPM config, in worker section there are user entry and NGINX config, so you can make your website files not-world-readable and more secure.

Don`t run PHP with privileged (sudo capablities, write privileges outsite docroot) user, that could cause server security compromise.

Kristaps
  • 2,925
  • 16
  • 22
  • 1
    Nice answer, I created a new user, new folders, copied everything over, applied the correct permissions and chrooted the user. Works nicely. Thank You. – The Pixel Developer Aug 11 '09 at 15:44
  • Could I just add my FTP user to `www-data` group instead of creating the dedicated user? Does it solve @ThePixelDeveloper's issue? Thanks. – Vladyslav Turak Jan 30 '18 at 17:59
2

The www-data user & group are quite standard. It may be www or web on other systems but the idea is the same: Run the web services with a dedicated account. Thus, when your web server is compromised, the attacker will only be able to access the files that this account has been granted.

If a user has to manage the web services, you should add the user to the relevant group (www-data) or allow him to su (or sudo) to the relevant user (still www-data).

icc97
  • 990
  • 7
  • 16
Benoit
  • 3,499
  • 1
  • 18
  • 17
  • 11
    The reason for www-data is that it is an account with zero privileges - it cannot write to any file on the entire file system, not read to anything but world-readable files. Previously, you would use built-in user "nobody" to achieve this. However, by creating "www-data" you have the possibility to allow this user to write to *some* files, without having to make those files world-writable (which is bad). The basic principle, that "www-data" is as privileged as "nobody" in every other way, holds true. – thomasrutter Apr 09 '11 at 16:29
  • @thomasrutter, from what I understand, I should run Nginx and PHP-FPM under the www-data user that is in the www-data group. If I want this user to be able to `read` & `write` to some folder, I need give him proper permissions. In most cases, this would be web root folder `/var/www/html` and `755` permission. Am I right? Thanks! – Vladyslav Turak Jan 30 '18 at 15:22
1

I try to avoid having nginx/php execute scripts owned as www-data for security reasons.

sysadmin1138
  • 131,083
  • 18
  • 173
  • 296
Colm Troy
  • 261
  • 2
  • 10