nginx + php-fcgi + vsftp = great. But how to have different users?

Discussion in 'Server Operation' started by talkingnews, Jul 19, 2011.

  1. talkingnews

    talkingnews New Member

    I'm a complete nginx convert - took a couple of days, but with the guides here and elsewhere, I've got nginx+vsftp running 4 sites:
    2 busy wordpress installs and a reasonably busy (20 or so on at any one time) phpbb forum. All rewrites working. And it doesn't even make an Amazon ec2 free micro instance break a sweat - the previous Apache2 config was bringing it down 5 times a day. nginx FTW by a mile, and service apache2 stop FTMFW!

    The problem is, I've had to drop ispconfig, which is a shame. So I'm only missing one gap in my linux newbie knowledge now, with relation to security. In the situation I have now, all sites run the same user, and with ftp I log into the web root.
    What's I'd prefer to do is have the ispconfig model of each site having its own user and group, so, I suppose, if someone hacked one site, they couldn't hack files of another site.

    And here's where no amount of googling will turn anything up. Any ideas?
  2. falko

    falko Super Moderator ISPConfig Developer

    I guess you will have to set up system users manually with the useradd command. Take a look at
    man useradd
  3. talkingnews

    talkingnews New Member

    Hmmm, perhaps I didn't describe very clearly. To clarify:
    I can create users, no problem. But in Ispconfig, it seemed to run each website as it's own unique user. In other words, the server would run with the permissions of client1:user2
    With the nginx/php-fcgi setup I have, everything runs as www-data:www-data.
    Although I backup every night, if someone access one site, in theory a dodgy script, rather than hacking just the one site, could work it's way round the whole /var/www/ and hack all 4 sites. Yes, they're only small and backed up twice a day so it wouldn't cause massive problems, but I'd like to just eliminate that possibility.

    I can just about see how you'd run each SITE as a different user in nginx, but of course it's the php that's writing data to the server. The only thing I can think of is if I run 4 php backends, each on their own port and user.
    Just doesn't seem to be the correct way to do things, a bit untidy, and I was wondering if there was a neater way.

Share This Page