The nginx-Web server runs on the www-data: www-data user group and user. Which user group and user should the php program be set to ensure security?

If Nginx + PHP-FPM combination is good, how to set the user group and user of PHP program, to ensure the security of program execution? If Nginx + PHP-FPM combination is good, how to set the user group and user of PHP program, to ensure the security of program execution?

Reply content:

If Nginx + PHP-FPM combination is good, how to set the user group and user of PHP program, to ensure the security of program execution?

Set individual users and user groups. Php-fpm has nothing to do with Web Server users, as long as they can communicate with each other. Different services should use independent users and user groups to run as much as possible. In this way, if a service has a problem, the other party can only obtain the permissions of the users used by the Service, but it is unlikely to be affected by other services.

Php-fpm has a php-fpm.d folder (pool. d under ubuntu), which can set different running configurations for different programs. By default, only www. conf is used. That is, all php programs run with parameters (which is dangerous for a single user), including the user, listener type (port or socket ), nginx uses reverse proxy to specific port or socket.

Suggestion: In the php-fpm.d several more similar to www. conf configuration file, different ports or socket listen to run. Different users are used, and corresponding users and user groups are used in the program. You can add users and groups.

PHP-FPM to individual users (such as app) run, it is best that each site has a separate user, website-related files belong to the user (app), permissions 740.
PHP-FPM listens to Unix Socket, owner is app, permission 750.

Nginx uses the default www-data to add www-data to the same group as the app.

So Nginx can read the app file, but can not write, other users can not read and write, and only Nginx can initiate a request to the PHP-FPM.
PHP-FPM can freely read and write files related to the site, WordPress such as the automatic upgrade of the program and other functions are no problem.

You only need to ensure that the user who starts the PHP service has sufficient permissions on the files to be operated by PHP, And the other permissions are set to the lowest.

For multiple websites, we recommend that you separate the configuration of php-fpm and use different groups and users to ensure maximum security.

My PHP-CGI is run www-data user, so, PHP file is also www-data user, permission is 644