How should I structure my users/groups/permissions for a web server?

Brandon Wamboldt asked:

How should I setup permissions in the most secure way on my dedicated server which I’m running FTP + Nginx on? I want FTP to be able to read/write files and I want Nginx to be able to read/write the same files. Should I set the user mask in ProFTPd to write files as the nginx user?

Should I set permissions to 700 for directories and 600 for files assuming they are owned by the nginx user and group?

Any info is appreciated

My answer:

If your web server can write to all of your files, then the site isn’t necessarily secure; any (known or unknown) exploit against nginx, PHP (or Rails or whatever stack etc.) or the web applications you may be using means that an attacker can write to everything.

The most secure method is to have all files owned by a user other than the user that the web server (and PHP etc.) runs as, and only make things writable that must be writable for the application to function, such as user upload directories.

For instance, on my web server, nginx runs as user nginx, php-fpm also runs as user nginx, and all files are owned by my own user account except for the upload directories, which are owned by nginx so that my web app’s file upload features work.

Whenever I use SFTP, I login with my own user account, and I su to root to change ownership of such upload directories (such as WordPress /wp-content/uploads directory). Most web applications will print a warning during installation when a file or directory needs to be writable.

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.