0

We have some websites on a centos nginx webserver.

Usually we put nginx:nginx as owner with 775 permissions and developers are part of the nginx group. If you are wondering why developers need to write there, we are a little entity different people call things like git pull on that server.

Problem is, that one of websites got hacked (from a wordpress bug) and as all the websites are under /www/docs/websitename all of them were compromised.

Is there a way to permit the normal work of nginx and users without "traspassing" ?

Federico Galli
  • 918
  • 6
  • 16
  • 1
    I'm not sure how to do it under nginx (I dont use it), but under apache, I always create a user/group for each website, keep their files ownership to those user/groups only (except log folder, which apache user needs to write to), usually under /home/websites/. The reason is precisely what happened to you. I use the mpm-itk module for that. – Tuncay Göncüoğlu Aug 24 '17 at 13:11
  • nginx has a suggestion here: https://www.nginx.com/resources/wiki/community/faq/#what-about-support-for-something-like-mod-suexec . Basically it gives you two options: a) have a main server and proxy it to separate servers (on differen ports I guess) for each site you run under different account, or b) run php as fastcgi and user separate accounts for fastcgi. Neither looks great to me, but... your choice. – Tuncay Göncüoğlu Aug 24 '17 at 13:22
  • @TuncayGöncüoğlu thanks for your attention. Permissions under nginx works the same way of apache, but the only simple options that came to my mind is something like nginx:usergroup with 675, that way the webserver can't write files but I suspect that there will be sooner or later broken things... We do run php-fpm but it needs to have the same rights of the webserver, and so the problem returns. – Federico Galli Aug 24 '17 at 13:47
  • 1
    no, permissions under nginx work differently than apache. under apache, each virtual host can have its own user and group assigned in virtualhost section, so that their server process runs under that user and group. In nginx there is no such thing as separate user/group assignment to each virtualhost process (because there is no separate vhost process/thread), so every website runs as same (presumably www-data) user/group. This is different than file owners and permissions, but related: it defines how and if the files are accessed. I suggest you read up the link I gave. – Tuncay Göncüoğlu Aug 24 '17 at 14:14
  • 1
    FPM seems the way to go for nginx - you can configure it with different users and groups. Doesn't 675 include user write permissions, just not directory traversal? In general, giving ownership to an SFTP user and allowing the server only read access to web files works well, except for self-modifying code like WordPress updater. – Cedric Knight Aug 25 '17 at 07:42
  • @TuncayGöncüoğlu it got me tricked this sentence "mod_suexec is a solution to a problem that NGINX does not have. " but I am experimenting and testing – Federico Galli Aug 25 '17 at 10:13
  • @CedricKnight thanks. I am evaluating in that perspective and trying to understand with developers our needs when it comes to uploaad of user contents from internet forms and things like that (as you say, WP things) – Federico Galli Aug 25 '17 at 10:16

0 Answers0