You are not logged in.
- Topics: Active | Unanswered
#1 2011-11-01 21:30:34
- pablox
- Member
- From: /home/chile/santiago/
- Registered: 2008-05-14
- Posts: 183
- Website
SFTP jails + nginx + php-fpm.
Context: I have a vps with some users that ran their own websites. I created sftp jails thanks to the wiki article.
With that each user get access to their own home directory and are able to create, delete and modify files. The problem is that nginx/php-fpm ran as a different user (http), and so they don't own the files and in consequence there are some stuff that they can't make. For example: updating wordpress and its plugins.
Obviously the files shouldn't belong to the http user (in my mind at least =P), because that means the users loses some of their rights on their own files. A possible workaround is having them on a group with write permissions, but doesn't look like an elegant solution.
It seems like a weird conflict, so I don't know if I'm missing something, my approach is wrong or I'm picking the wrong tools for the job. So, any suggestions on how tackle this issue are welcome : )
Last edited by pablox (2011-11-13 15:59:15)
Geeks & Linux Atelier
An eye for an eye ... ends in making everybody blind -- Mahatma Gandhi
dotfiles
Offline
#2 2011-11-18 21:43:38
- rwd
- Member
- Registered: 2009-02-08
- Posts: 664
Re: SFTP jails + nginx + php-fpm.
A way to solve this would be to use a "user private group scheme", meaning that users get their own private default group instead of 'users'. And then make the user under which the webserver runs member of the groups of each user. Also it would be smart to use 'umask' such that the files in webroot get '750' permissions by default. This way the webserver can read the files in webroot but can not write them (in case of exploits in php scripts), and each user can't modify files of other users. Only subfolders of webroot used for caching and uploading should be writable by the webserver.
To solve the issue that the webserver creates files in those folders that then can't be written to by users because they are owned by the user/group of the webserver you can use setgid. This lets new files/folders be owned by group of the *parent folder*, instead of the default group of the *user creating the folder*. To make this so for /srv/ and each subfolder in /srv/ you'd do :
# find /srv/ -type d -print0 | xargs --null chmod g+sLast edited by rwd (2011-11-18 22:23:13)
Offline
#3 2011-11-19 01:14:13
- pablox
- Member
- From: /home/chile/santiago/
- Registered: 2008-05-14
- Posts: 183
- Website
Re: SFTP jails + nginx + php-fpm.
Problem with that is that it doesn't solve my problem, because I expect the webserver (or php) being able to write files themselves (for exampling to update wordpress).
It seems that I got in a place that I have to decide between usability and more security =/.
Geeks & Linux Atelier
An eye for an eye ... ends in making everybody blind -- Mahatma Gandhi
dotfiles
Offline
#4 2011-11-19 09:47:45
- rwd
- Member
- Registered: 2009-02-08
- Posts: 664
Re: SFTP jails + nginx + php-fpm.
Problem with that is that it doesn't solve my problem, because I expect the webserver (or php) being able to write files themselves (for exampling to update wordpress).
It seems that I got in a place that I have to decide between usability and more security =/.
You can give the webserver write access if you want. Just change the permissions to make them writable by group (and change umask as well so all new files created by the webserver and users are group writable by default). For my own server I change permissions just to do an upgrade and then change them back, but it's your choice.
Last edited by rwd (2011-11-19 10:47:14)
Offline