3

Overview:
I have a dozen or so WP installs hosted on an Ubuntu 14.04 LTS, w/ PHP 5.5.9 & Nginx 1.4.6. MySQL runs on alternate node, not on public network.

Goal:
To have directories & files of each WP install NOT be world-readable. If a malicious user gets access to a particular WP install, I can't have them be able to navigate to an alternate WP install and read DB credentials.

Details:
Nginx runs as www-data. A user, with no shell, is created for each vhost. Each vhost supports a single WP install. PHP-FPM pools run specific to each user / vhost. PHP-FPM pools connect w/ Nginx via socks, not the loopback IP.

Reading the following Wordfence article, I have attempted to set file permissions as follows:
Files - 640
Directories - 750

When I configure permissions as such, Nginx, running as www-data, can no longer correctly access the WP files. If I set permissions back to 644 & 755, everything works as expected.

Sites are installed in the following structure:
/var/www/site1.com/public
/var/www/site2.com/public
/var/www/site3.com/public
and so on.

Each directory is owned by the corresponding user & user group. ie:
site1-com:site1-com /var/www/site1.com

We've had a WP site get hacked, and they were able to get a php file manager script onto the server. My understanding is that this script is being run by user www-data. (Checked w/ ps aux) If that's true, that I suspect the malicious user could access all other WP installs via their php file manager script.

How can I improve my permission setup to harden security? I'm open to all suggestions, even if it means re-configuring the entire stack install.

Thanks in advance.

user2977468
  • 31
  • 2
  • Partitioning the machine is the best solution but PHP's `open_basedir` directive will already prevent the PHP scripts from accessing other users' directory. – Julie Pelletier Aug 16 '16 at 16:20
  • use OS level containers to separate your users' environments. – Zeb Aug 16 '16 at 16:24
  • Docker, ie OS level containers like LXC, would be perfect for this, like Zeb said. Check out https://en.wikipedia.org/wiki/LXC http://www.ubuntu.com/cloud/lxd https://www.docker.com/ – Tim Aug 16 '16 at 20:06
  • Another option which is a bit lighter is to use PHP-FPM's chroot feature to run the PHP-FPM pool inside chroot. However, it requires setting up the chroot environment, where you need essential binaries and libraries, and also devices and `/proc` and `/sys` set up. This isn't an easy task to do. I'm not sure if there is a guide of doing that. I did it by trial and error method... – Tero Kilkanen Aug 16 '16 at 23:27
  • Thank you everyone for the details. @Zeb - I was thinking about running with Vagrant, since it's a platform that we're all already familiar with at our office. – user2977468 Aug 17 '16 at 14:23
  • @Tim - I have minimal experience with Docker, but from what I understand, it's containers are very similar to Vagrant's boxes. I'll do some further research today. Appreciate the advice. Thank you very much again, everyone. – user2977468 Aug 17 '16 at 14:24

0 Answers0