Answer the question
In order to leave comments, you need to log in
Can the www-data group be given write access to the site directory?
I have a wordpress site that needs to be edited remotely. The user www-data has write access. I added my developer user to the www-data group and gave that group write access to the site directory. Is this correct from a security point of view? If not, what is the best way to organize remote editing of the site?
Answer the question
In order to leave comments, you need to log in
This is quite normal, especially if your account is sufficiently secure (strong password/key, brute force protection, limited SSH connections by IP, etc.). At the very least, it's no worse than a CMS exploit that would give access with a service account at all.
Usually, the server itself works on behalf of www-data, or rather the php interpreter (php-fpm, if Nginx) and giving this group and user write permissions to all directories is very reckless.
I usually make the owner of the files a specific user who can manage all the files, and leave the group www-data and set its write permissions only for those folders in which files can actually be loaded and files modified by scripts , and in these folders I make sure to disable the launch of scripts (Nginx settings). Only umask 027 needs to be done. If there are several sites, then in the case of nginx it would be better for each site to use a separate php-fpm pool with a separate user group only for this site.
But this is only if it is not possible to use ACLs. If there is, I create a separate group for "developers".
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question