3

I've always been accustomed to running PHP under Nginx as the www-data user, for everything: php service, cron, CLI, etc. Recently though, after reading up on firstly this article and then this article, I'd like to know how necessary it is to run these services using a different user? This is for a single Magento 2 application on the server.

Is it sufficient to create a new user:

adduser magento2user
passwd magento2user

usermod -a -G www-data magento2user

Then in php /usr/local/etc/php-fpm.d/www.conf:

[www]  
user = magento2user
group = magento2user
...
listen.owner = www-data
listen.group = www-data

And then finally:

chown -R magento2user:www-data /var/www/html

My confusion is coming from this on the Magento 2 DevDocs:

We recommend two users if you run your own Magento server: one to transfer files and run command-line utilities, and a separate user for the web server software. When possible, this is preferable because it’s more secure.

Instead, you have separate users:

• The web server user, which runs the Magento Admin (including Setup Wizard) and storefront.

• A command-line user, which is a local user account you can use to log in to the server. This user runs Magento cron jobs and command-line utilities.

So by this, should PHP-FPM be run as www-data, but the files be owned by magento2user who belongs to the www-data group?


EDIT after Simon Greenwood's answer below

If I run ps aux | grep nginx | grep -v grep I get the following output:

1 www-data   0:00 nginx: master process nginx -g daemon off;
7 www-data   0:00 nginx: worker process

... so I don't think I need an entry in 'etx/nginx/nginx.conf that reads user www-data

maGz
  • 133
  • 1
  • 1
  • 6

1 Answers1

3

I would tend to recommend running nginx as the system user, so www-data in your case, and php-fpm as a non-privileged user, which can be the same as the shell user. You don't have to have your non-privileged user in the www-data group as nginx passes requests to php-fpm. for execution. The setup suggested by the Magento docs assumes apache and mod_php, which would require the permissions setup as described above.

Simon Greenwood
  • 1,343
  • 9
  • 12
  • Thanks Simon. So would you suggest that I leave my php-fpm `www.conf` as is then? – maGz Dec 18 '17 at 12:38
  • I would be inclined to do it as you have described above, you're not then exposing your application files to the system. – Simon Greenwood Dec 18 '17 at 12:45
  • Thanks Simon. Please see my edit above. So just to confirm ... leave Nginx running as `www-data` user, run PHP-FPM as `magento2user` as per my `www.conf` configuration above, but don't add `magento2user` to the `www-data` group – maGz Dec 18 '17 at 13:38
  • That should do it. – Simon Greenwood Dec 18 '17 at 14:08