Hi,
I followed the LEMP guides and got my nginx setup with wordpress. Nginx uses www-data as the user, and the guides set it up so that www-data is the owner and group of the /srv/www/* folders. So permissions look like:

drwxr-xr-x 5 www-data www-data 4096 2012-03-26 08:42 </srv/www/*>

I'd like to be able to use a desktop FTP program to transfer files back and forth to my websites. It seems my options are:

1. Add myself to the www-data group, and then change the group permissions to add write ability.

2. Add www-data to the AllowUsers line in sshd_config and log in as that user from the ftp program instead of my shell user login.

3. Change the owner of the /svr/www/* folders to me.

Am I right in thinking these are my options? Which of these options is the best-practice in terms of security?

Thanks, any advice appreciated.

Cheers,
Brett

#3 sounds best.

It's usually a good idea to give the www-data user as little permissions as possible. In the case of WordPress, this means making everything owned by another user (that is, you) and only giving wp-content to www-data. You can do this either by chown'ing the folder to www-data:www-data, or by chgrp'ing it to www-data and giving it group write permissions (775).

Restricting www-data to specific folders makes it difficult for badly written and insecure plugins to compromise your entire site, because they won't be able to touch anything outside of those folders. WordPress plugins are not to be trusted. They are one of the most common vectors of malware infection in blogs.

If you really need a PHP script to be able to write outside of the permitted area (e.g. when you update WordPress from the control panel), change permissions temporarily, do the updates, and reapply old permissions afterwards.

Thanks hybinet for your post.

If I understand my current setup correctly, the owner:group is www-data:www-data.

So based on what you're saying, should it be admin:www-data, and then giving the group rwx permissions?

If so, is this what I need to do to change the www-data owner to admin and then give www-data the ability to write for each site?

chown -R admin /srv/www/<site-name>
chmod -R 775 /srv/www/<site-name>

Cheers,
Brett

Hi,
A bit confused, some help greatly appreciated.

My web server user:group is nginx:nginx
My web site files are admin:www-data
I can use SFTP client to transfer files in/out using my admin credentials with SSH keys (no passwords)

Problem is wordpress cannot update itself because nginx doesn't have permission. I suppose I can set the permissions in a few places within wordpress to allow nginx where necessary, but is this the best way? Or can I add www-data as an SFTP user by doing something similar to this guide?

Seems like it must be a common problem people solve, but having trouble finding a complete solution.

Thanks,
Brett

Generally speaking, Internet-facing software modifying itself is a bad thing. If using your distribution's Wordpress packages isn't an option, installing Wordpress via SVN is a decent way to go.

_________________

/* TODO: need to add signature to posts */

Hi hoopycat,
Thanks for taking time to post.

So I guess you're saying it's better to log in and do everything manually rather than let WP update itself.

If I did want to allow WP to be updated from WP like how most shared hosts work, what is the second best option then?

Cheers,
Brett

I think most folks tend to either leave it insecure, or change the ownership when they want to run updates and then change it back when they're done. There aren't very many good ways to handle this, unfortunately.

_________________

/* TODO: need to add signature to posts */

Thanks hoopycat for letting me know. It's funny that something so common is so hard to do out-of-the-box.

There are a couple major assumptions made by most PHP-based applications:

1) There is no command-line access to the server
2) Everything runs under one username

Both of these are unnatural conditions in the "real world", but are nearly universal in the world of shared hosting. Since shared hosting is so prevalent, application developers cater towards that sort of thing.

My PHP survival tips: install Wordpress using the SVN method, install Drupal using Aegir, rewrite everything else from scratch.

_________________

/* TODO: need to add signature to posts */

Convenience and security don't always go together. WordPress errs on the side of convenience, which unfortunately makes it less secure than it could have been.

If wp-content is writable, you can still update themes and plugins from within WordPress.

Also, I'd be careful about "chmod -R 775"ing everything. Directories should have 775 permissions, but files should have 664 permissions. Otherwise those files become executable), and that's another potential vulnerability. The "x" bit means "list" for directories but "execute" for files.

To revert all file permissions to 664, while leaving the directories alone, do this:

find /srv/www/whatever/wp-content -type f -exec chmod 664 {} \;

If you need to give group write permissions to a directory in the future, "chmod -R g+w" is better than "chmod -R 775". "g+w" means "add(+) group(g) write(w) permissions, but leave other permissions alone".

Thanks hybinet and hoopycat for the suggestions/advice!