Nginx: Difference between user nginx and www-data in terms of security permissions

nginx

I recently installed nginx 1.13.1 on an Ubuntu instance in Amazon Lightsail.

Ubuntu version is 16.04 Xenial OS.
Nginx was installed using the Nginx.org package repository.

After installation, the default nginx.conf specifies user as:

user nginx;

I started the nginx using the below command:

sudo service nginx start

On checking the status of nginx using:

ps -ef | grep nginx

I found that worker process is owned by nginx user.

Now as per various resources available online, people suggest to use 'www-data' as the user.

My queries related to above scenario is:

Is there any difference in security permissions for nginx and www-data user?
Should I change user to 'www-data' if it is more secure?

I am new to Linux and nginx so any help will be appreciated.

Best Answer

No, there is no real difference in security just by changing the process owner name. The name itself doesn't imply any permissions or restrictions. In Linux, you have to assign permissions to said user. The name is just an identifier. If security through obscurity is something you believe in, you could change all such defaults to something more random/personal, just to slow down potential hackers in future, but it's hardly worth it. They would just have to look up the new name instead of already knowing the defaults.

So no, no need to change the default user.

But of course, do pay attention to that user's permissions, in terms of executing rights, file read and write rights etc. That's not specific to Nginx, but at the OS level so read up on that to feel more confident in your stack's security.

Related Solutions

Nginx not able to connect to php-fpm socket

This is a gotcha that many tutorials omit. the php user should be the owner of the socket. So you want to make sure that

chown www-data:www-data /var/run/php5-fpm.socket

Nginx – FastCGI Sent in Stderr: ‘Primary Script Unknown’

The error message “primary script unknown” is almost always related to a wrongly set SCRIPT_FILENAME in the nginx fastcgi_param directive (or incorrect permissions, see other answers).

You’re using an if in the configuration you posted first. Well it should be well known by now that if is evil and often produces problems.

Setting the root directive within a location block is bad practice, of course it works.

You could try something like the following:

server {
    location / {
        location ~* \.php$ {
            include fastcgi_params;
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
            fastcgi_pass 127.0.0.1:9000;
            try_files $uri @yii =404;
        }
    }
    location @yii {
        fastcgi_param SCRIPT_FILENAME $document_root$yii_bootstrap;
    }
}

Please note that the above configuration is untested. You should execute nginx -t before applying it to check for problems that nginx can detect right away.

Best Answer

Related Solutions

Nginx not able to connect to php-fpm socket

Nginx – FastCGI Sent in Stderr: ‘Primary Script Unknown’

Related Topic