Hi all,
I'm reviewing how I set up websites (mostly Wordpress at the moment),
and would like other opinions on what I'm planning is sane.
My plan is to have a user eg "mysite" that owns all/most of the standard
files and directories.
The webserver (actually php-fpm) would run as "mysite-run".
Group ownership of the files would then be mysite-run, but group-write
permission would not be granted except where required, eg the 'uploads'
and 'cache' directories.
Files in those directories, created by the php-fpm process, would
obviously be owned by mysite-run.
Alternatively the group ownership of most of the directories could
remain with mysite, and but the uploads and cache directories
group-owned (and group-writeable) by mysite-run.
The objective of course is that site code can't write to anything it
shouldn't. I know that means that I'll have to install upgrades, plugins
etc with the wp cli tool.
I earlier had thoughts of improving this with ACLs, but a) this got
really complicated and b) it didn't seem to solve some of the problems I
was trying to solve.
I wanted to be able to allow other users (those who might need to update
sites) to be able to log in as themselves and make changes, but IIRC
nothing (other than sudo or setuid tools) will allow them to set the
ownership back to 'mysite', which is what I want it to be. I'm aware of
bindfs, which allows fuse mounting of filesystems with permission
translation, but as far as I can tell, it doesn't allow mapping of
userids. Tools could help, but I'd rather some of these users had SFTP
access only, which would prevent them being used.
Any thoughts?
I like some of the ideas, mentioned by others, including SELinux issues.
But, for a High Security Website, I prefer Lighttpd over Apache2 and, especially WordPress.
Am I mostly on the right track?
Mostly.
Kenneth Parker