SLVD]sftp jails + nginx + php-fpm:How should I manage users?

Context: I have some users that ran their own websites. I created sftp jails thanks to the wiki article.

With that each user get access to their own home directory and are able to create, delete and modify files. The problem is that nginx/php-fpm ran as a different user (http), and so they don't own the files and in consequence there are some stuff that they can't do, for example: updating wordpress and its plugins.

Obviously the files can't belong to the http user, because that means the users loses some of their rights on their own files. Having them on a unique group with write permissions can work, but doesn't look like an elegant solution.

It seems like a weird conflict, so I don't know if I'm missing something, my approach is wrong or I'm picking the wrong tools for the job.

So, any suggestions on how tackle this issue are welcome : )

9 Replies

for wordpress to update itself etc it needs write permissions to itself, best bet since you're using fpm is have a fpm pool for each user running under their user, unfortunately this means if there is a security bug in wordpress that allows users to edit files when they could rewrite wordpress.

Security vs functionality an age old dilemma

@obs:

for wordpress to update itself etc it needs write permissions to itself, best bet since you're using fpm is have a fpm pool for each user running under their user, unfortunately this means if there is a security bug in wordpress that allows users to edit files when they could rewrite wordpress.

Security vs functionality an age old dilemma
Have you got any further details on this security issue?

As well as allowing users to update WP itself, there are simple editors that allow them to edit themes and plugins. So editing WP files from within WP is intentional. Are you referring to this, or something else?

Just curious :)

@obs:

for wordpress to update itself etc it needs write permissions to itself, best bet since you're using fpm is have a fpm pool for each user running under their user, unfortunately this means if there is a security bug in wordpress that allows users to edit files when they could rewrite wordpress.

Security vs functionality an age old dilemma

Thanks, that looks like a "fine" solution. I still wonder how those big shared hostings (like dreamhost for ie) manage their users.

Being careful with version could this post work as a starting point?

An example of why php shouldn't be allowed to write to itself.

1. A security vulnerability is found in a script say an upload script allows a php file to be uploaded

2. This php file is then executed via the browser and alters your index.php file to include
3. All visitors to your site get sent to abadsite.com and spammed into a new incarnation.

@obs:

An example of why php shouldn't be allowed to write to itself.

1. A security vulnerability is found in a script say an upload script allows a php file to be uploaded

2. This php file is then executed via the browser and alters your index.php file to include
3. All visitors to your site get sent to abadsite.com and spammed into a new incarnation.

So, what do you say is that what I found a "bug" it's actually a feature? It's kind of weird that Wordpress expose itself to that kind of vulnerability though, don't you think so?

Besides of that… if I keep my conf as it were, that is: php-fpm ran as a its own user (http), being access to read the php files (not write) it's secure?

Something like:

-rw-r----- 1 webuser www-data 3,5K ago 4 10:19 index.php

It's not a bug unless a vulnerability is found, wordpress is designed to be able to update itself and install plugins from the web ui, it makes life easier for the non techy users.

If you have permissions of

-rw-r–--- 1 webuser www-data 3,5K ago 4 10:19 index.php

And php-fpm is running as "webuser" then that's fine for allowing webuser to write to itself and webuser to connect via sftp. It also allows the web server to read the file which is fine. Other users won't be able to read it.

Another thing you'll want to do is set php's open_basedir to something like /home/webuser/:/tmp/

That way the users can't use php to access outside of their home directory (except for /tmp/ which is often used for sessions)

Thanks for your answers =)

I'm gonna read about how I'm supposed to start each php-fpm pool with a different user though.

Any good point (or directions) on how to start? It seems that php-fpm lacks documentation.

http://www.php.net/manual/en/install.fp … ration.php">http://www.php.net/manual/en/install.fpm.configuration.php

You'll want the "user" directive

@obs:

http://www.php.net/manual/en/install.fp … ration.php">http://www.php.net/manual/en/install.fpm.configuration.php

You'll want the "user" directive

LOL, I was looking in php-fpm.org where the documentation is so old. Thanks again, I'm marking this as solved.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct