Z
Z
zevilz2015-01-11 10:55:22
Nginx
zevilz, 2015-01-11 10:55:22

How to properly setup vsftpd on Nginx + php-fpm server?

There is a site on WordPress. Folders have permissions 755, files have 644, the owner and group is www-data. Everything seems to be in order.
Problem with editing files via FTP. There is, for example, the user user. It is in the www-data group. But it turns out that this user cannot change files via ftp in any way because of the rights, only viewing files is available. I make it the owner - now the user has full access to ftp. But WP plugins don't have the necessary file access and some require ftp access. Tried setting up vsftpd with and without userlist.
vsftpd.conf
nginx.conf
host example
Tell me what to do in this case?
Thanks in advance for your replies.

Answer the question

In order to leave comments, you need to log in

3 answer(s)
X
xbox, 2015-01-15
@zevilz

set the rights to the files to 640, to the directory to 750
as the owner of user1, the group www-data
In this case, nginx must be run as the user www-data, and php-fpm as the user user1. Log in via Ftp as user1.
user1 does not need to be added to the www-data group.
If you have several sites, then for the second site, set the owner to user2, the www-data group, connect via ftp from user2.
If there are several sites, then each has its own php5-fpm pool, each of which is run from different users.
Result: the php processes, and hence WordPress, will have full access to the files of their own project only and will not have access to the files of neighboring VPS projects. Nginx will have read-only access to all projects. Through ftp, each user will have full access only to their own projects. Unnecessary file permissions have been removed. If one of the VPS sites is hacked, then the hacker usually gets the access rights of the user who runs the php-fpm pool. (Hacking nginx is unlikely) I.e. when hacked, the hacker gets full rights to one project, but cannot even read, much less write to another project. To further secure the server, use chroot in your php5-fpm and ftp settings. This greatly improves security. But setting up a chroot in php5-fpm usually requires additional dancing with a tambourine (changing the configs of other services,
I used to be careless about security settings, until I accidentally found the same shell script on my VPS in two projects. After I realized what kind of script it was, I launched it (I just typed the appropriate address in the browser) and was really stunned. The shell script made it easy to navigate through all project folders (individual sites) located on the VPS, allowed you to arbitrarily write and delete files in these projects, allowed you to go to the root of the file structure, for example, to the /etc folder and read all configs in this folder. Although the configs were read-only, they actually store a lot of confidential information. For example, some passwords of standard services in such configs are stored in unencrypted form. The script allowed to display a list of running processes and randomly kill processes launched by the same user, etc. In addition, all the main methods necessary for finding vulnerabilities and further sabotage in the script are automated. Those. in many cases it was more convenient for me to work with the server through this shell script than through putty and winscp. And in the future, I used this shell script to test the security of each project. Those. in addition to solving a local problem, I recommend that you immediately check the security in the complex.

E
Ergil Osin, 2015-01-11
@Ernillew

pure-ftpd and a virtual user that will match under the real one from which nginx is running.

I
Igor, 2015-01-13
@merryjane

Can be replaced with proftpd .
There you can create virtual users and override their uid\gid with real ones (for example, www-data). It turns out that they will have the same rights as nginx.
It is configured very easily with a couple of lines in the standard config.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question