I'm running an ubuntu 16.04 web server, with both apache and nginx installed
I need a setup where certain directories (dir y) are inaccessible (no read, write or execute permissions) to a certain user-group (group x)
However, group x should be able to edit the configuration files of nginx and apache
Currently apache and nginx are ran from a privileged user, I suspect that the members of group x may be able to edit the configuration files to read the content of dir y, am I correct in thinking this?
If the apache2 and nginx services are started by an unprivileged user - a member of group x - would this ensure there is no possible way a member of group x could read the content of dir y?
Are there any other loopholes which I should be weary of to ensure dir y stays private?
Edit: After some testing, users of group x are able to edit nginx.conf, setting the nginx user to 'root', which allows dir y to be exposed
I see two solutions, making sure nginx's host process is ran as non-root, which would create problems when binding to port 80 and 443
Or just ensure group x cannot directly edit the nginx.conf file, maybe I could create a program that can edit everything bar the 'user' property
