I've always been accustomed to running PHP under Nginx as the www-data
user, for everything: php service, cron, CLI, etc. Recently though, after reading up on firstly this article and then this article, I'd like to know how necessary it is to run these services using a different user? This is for a single Magento 2 application on the server.
Is it sufficient to create a new user:
adduser magento2user
passwd magento2user
usermod -a -G www-data magento2user
Then in php /usr/local/etc/php-fpm.d/www.conf
:
[www]
user = magento2user
group = magento2user
...
listen.owner = www-data
listen.group = www-data
And then finally:
chown -R magento2user:www-data /var/www/html
My confusion is coming from this on the Magento 2 DevDocs:
We recommend two users if you run your own Magento server: one to transfer files and run command-line utilities, and a separate user for the web server software. When possible, this is preferable because it’s more secure.
Instead, you have separate users:
• The web server user, which runs the Magento Admin (including Setup Wizard) and storefront.
• A command-line user, which is a local user account you can use to log in to the server. This user runs Magento cron jobs and command-line utilities.
So by this, should PHP-FPM be run as www-data
, but the files be owned by magento2user
who belongs to the www-data
group?
EDIT after Simon Greenwood's answer below
If I run ps aux | grep nginx | grep -v grep
I get the following output:
1 www-data 0:00 nginx: master process nginx -g daemon off;
7 www-data 0:00 nginx: worker process
... so I don't think I need an entry in 'etx/nginx/nginx.conf
that reads user www-data