Securing nginx: Workers per server block under specific user?

- - stadtpirat11 at ymail.com
Mon Aug 26 11:14:32 UTC 2013


Hello,

I don't quite understand how this works. Until now I was 
running my websites under Cherokee Web Server. Cherokee ran under user 
www-data and all my websites shared the same permissions 
(www-data:www-data rwxrwx---). That worked well, but then I also 
realised: If someone would be able to inject php code into one of my 
websites, he would have full read/write acces to all of my sites. That 
would enable him to read my database passwords. For example using this 
line of code: `scandir("/usr/local/var/www/site2/config/database.php")`.

Now, I said goodbye to Cherokee and am currently looking into nginx.

The first thing I did was to restrict the permissions in the www folder:

> drwxr-x--- 4 root      root      4.0K Aug 16 14:30 .
> drwxr-sr-x 7 root      staff     4.0K Aug 15 15:02 ..
> drwx------ 2 www-site1 www-site1 4.0K Aug 25 20:44 site1
> drwx------ 9 www-site2 www-site2 4.0K Aug 15 15:38 site2


Then
 I realised, that I cannot spawn workers per server block. So as far as I
 understand, the user under which nginx is running (www-data) needs read
 access to folder site1 and site2. So I would need to change the 
permissions to 


> drwxr-x--- 4 root      root      4.0K Aug 16 14:30 .
> drwxr-sr-x 7 root      staff     4.0K Aug 15 15:02 ..
> drwxr-xr-x 2 www-site1 www-data  4.0K Aug 25 20:44 site1
> drwxr-xr-x 9 www-site2 www-data  4.0K Aug 15 15:38 site2


That
 is really bad because I would have the same security problem as I had 
before with cherokee. With one line of php he could read from any "site"
 folder (see above). I could tackle that problem by assigning rwx------ 
permissions to all files, but then I would probably be busier with 
changing file permissions that developing websites ...




->
 Is there no way to have workers spawn per server block that run under a
 specific user? Say, 5 server blocks, 3 workers each?

-> How did you solve this problem?




Cheers
Stadtpirat



More information about the nginx mailing list