Permissions are something that have confused for me a while with Linux. So at the minute both my NGinx and PHP-FPM instances are running with the user and group :
www-data
Is this standard? I run into trouble when I come across file uploading.
Example, a file would be uploaded both with the user and group www-data. Now, due to how I set permissions (0440) in my web application I can't login via ssh with my normal account to download those files. This can't be changed.
I was thinking of changing my nginx and php instance to keep the group, but change them to run under my user name.
What's the correct way for handling permissions here? Thank You.
Best Answer
This is how this works: When you login via FTP/SSH and upload files, they are created with your permissions. Probably your webroot is world writable (0777), that is insecure - every user in system can write something there. PHP runs with different user privileges (They are specified in PHP-FPM config, not nginx config), and as directory is world writable, PHP user (www-data) can also write there. But owner of this file is www-data, not your account. They are 2 distinct accounts in filesystem permission level.
I suggest you to create dedicated user with least possible privileges, which would own webroot directory and would be used for FTP/SSH upload AND would run php. You should change PHP-FPM config, in worker section there are user entry and NGINX config, so you can make your website files not-world-readable and more secure.
Don`t run PHP with privileged (sudo capablities, write privileges outsite docroot) user, that could cause server security compromise.