This article starts in the Slime row world.
A few days ago study, under the Nginx build WordPress blog. In the article "Slime: Using Nginx to build WordPress blog", we specifically mentioned the user under which the program runs.
In this article, we will specifically explain the configuration of Nginx, PHP-FPM, and MySQL running under individual users.
First of all to do a description: Nginx itself can not handle PHP, it is just a Web server. When a client request is received, if it is a PHP request, it is forwarded to the PHP interpreter for processing and returns the result to the client. If it is a static page, Nginx handles it itself and returns the result to the client.
The most used PHP interpreter under Nginx is fastcgi. In general, the PHP request forwarded to the FASTCGI management process processing, the FASTCGI management process to select the CGI sub-process processing, and then return the processing results to nginx.
In this process involves two users, one is Nginx running user, one is php-fpm running user. If you are accessing a static file, you only need the user who is running nginx to have read or write access to the file.
And if the access is a PHP file, you first need to run the user to the file has Read permissions, read to the file after the discovery is a PHP file, then forwarded to PHP-FPM, at this time you need to PHP-FPM users have read access to the file or read and write permissions.
First, let's look at what user Nginx is running under. Use the PS command to view the following:
PS Aux|grep Nginx
We can clearly see that the Nginx parent process is running under the root user, while the child process runs under the nobody user, and there is only one child process. This is consistent with our configuration in the Nginx configuration file. As follows:
More/usr/local/nginx/conf/nginx.conf
Note: Nginx is run with nobody user by default if no user is configured to run. Using nobody to run Nginx security is relatively high.
The above is Nginx running user.
Now let's look at the running user under PHP-FPM, using the PS command. As follows:
PS aux |grep php-fpm
Through, we can see that the parent process of php-fpm runs under the root user, and the child processes are all running under Apache users.
Let's take a look at which user the MySQL database is running under and use the PS command to view it. As follows:
PS aux |grep MySQL
As we can see, MySQL runs under the MySQL user, and its PID is exactly the same as it was saved in/var/run/mysqld/mysqld.pid.
The above is Nginx, PHP-FPM, MySQL running under the circumstances of the various users.
We began to test the actual production environment in the configuration, in the "Slime: Using Nginx virtual host build wordpress Blog" Article we have configured, virtual host a.ilanni.com. As follows:
Let's take a look at the user and user groups of the a.ilanni.com virtual host root directory, as follows:
In the actual production environment, our general configuration is Nginx and PHP-FPM are running under the nobody user, and the root directory of the site also belongs to nobody users, and the root directory for the nobody user has all permissions.
This configuration is most secure because the nobody user is the safest. Even if hackers break the site, they cannot log on to the system.
Now let's not make any configuration, and use the respective default user to publish an article to see the actual effect.
For WordPress published articles, I generally through the Windows Live writer this blog client published.
We are still using this client to publish an article with only text and no pictures, as follows:
Through, we can obviously see that this Test text article has been successfully published.
Next we will test an illustrated article, as follows:
Through, we can see the article with the picture is no way to publish. Windows Live Writer has prompted an error.
Why can't I publish an article with a picture?
In fact, the problem is very simple, the picture in the article needs to be uploaded to the root directory of the Web site before normal access. PHP-FPM now runs under Apache users, and the problem is that Apache users do not have access to the virtual host a.ilanni.com root directory, and have no write permission.
As a result, Windows Live Writer cannot publish an article with pictures.
So how do we solve this problem?
In fact, it's very simple, we have already said in the front. Nginx involves two users, one is Nginx running user, one is php-fpm running user. If you are accessing a static file, you only need the user who is running Nginx to have read access to the file.
And if the access is a PHP file, the first need for nginx user to read the file permissions, read to the file found to be a PHP file, then forwarded to PHP-FPM, at this time you need to php-fpm the user has Read permissions to the file.
What we need to do now is unified Naginx and PHP-FPM run the user as nobody, and then the Nginx virtual host a.ilanni.com the site root directory to nobody users and nobody user groups have all permissions.
Nginx has been run under the nobody user, we will not be adjusted. Let's adjust the php-fpm running user, php-fpm we install it through Yum. It also uses the default configuration, which is/etc/php-fpm.d/www.conf.
Now start editing the file and modify the user-level user group to run it. As follows:
Vi/etc/php-fpm.d/www.conf
When you are finished editing, restart PHP-FPM. As follows:
/ETC/INIT.D/PHP-FPM restart
PS Aux|grep php-fpm
Through, we can see that currently PHP-FPM is already running on nobody users.
PHP-FPM after the user is modified, we will now modify the root directory user and user group of the virtual host. As follows:
Chown Nobody:nobody-r a.ilanni.com/
After the user and user group a.ilanni.com the root directory of the virtual host are modified, you should also be careful to modify the nobody permissions on the virtual host a.ilanni.com root directory.
As we can see, currently nobody users already have control over the a.ilanni.com root directory of the virtual host.
Once the above permissions have been modified, we can then publish the text through Windows Live Writer. As follows:
Through which we can see. This paper has been successfully published in WordPress. Let's take a look at the image storage location in WordPress.
ll/ilanni/a.ilanni.com/wp-content/uploads/2014/09
The above is Nginx, PHP-FPM, MySQL in the actual use of the user's configuration. Supposedly, we should end the article here.
But in order to be more able to combine with our actual production environment, we have to extend. If we say that now this WordPress is a project, the project is being developed. And developers we are not in the Linux system to open the relevant account, only opened an FTP account.
But what if the developer uploads the code and modifies the relevant code?
This will need to be set up in conjunction with the VSFTPD virtual name user. For information on this, refer to my previous article, "Slime: vsftpd Virtual user with anonymous user".
First, install the VSFTPD, using the Yum method. Once the installation is complete, we will configure the VSFTPD.
The following files are configured:
Vi/etc/vsftpd/vsftpd.conf
Local_enable=yes
Write_enable=yes
local_umask=022
Dirmessage_enable=yes
Xferlog_enable=yes
Connect_from_port_20=yes
Xferlog_file=/var/log/xferlog
Xferlog_std_format=yes
idle_session_timeout=600
Ftpd_banner=http.
Chroot_list_enable=yes
Chroot_list_file=/etc/vsftpd/chroot_list
Listen=yes
listen_port=2121
pasv_min_port=6000
pasv_max_port=6150
Userlist_enable=yes
Tcp_wrappers=yes
Guest_enable=yes
Guest_username=nobody
Pam_service_name=vsftpd
User_config_dir=/etc/vsftpd/vu_conf
Virtual_use_local_privs=yes
Where guest_enable=yes means that vsftpd virtual users are enabled, that is, all users who log on to FTP are virtual users on the system.
Guest_username=nobody indicates that the virtual user corresponds to the system user as the nobody user.
Virtual_use_local_privs=yes means that the VSFTPD virtual user is enabled and the virtual user and the local user have the same permissions.
PAM_SERVICE_NAME=VSFTPD Enable VSFTPD authentication.
Then configure the directory for the VSFTPD virtual user, as follows:
VI Vu_conf/ilanni
local_root=/ilanni/a.ilanni.com
Through the above configuration vsftpd virtual user Ilanni, has been to Nginx virtual host a.ilanni.com root directory has Full Control permissions.
This also achieves the goal of controlling the project through VSFTPD.
Slime: Nginx, php-fpm, MySQL user Rights resolution