Creating per-user php5-fpm pools the secure way

Question

When creating per-user php5-fpm pools on an Apache mod_fastcgi setup which of the following is the most secure way and efficient way of granting webserver permissions to the PHP pool?

Option 1:

Set the group to www-data:

listen.owner = username
listen.group = www-data
listen.mode = 0660

user = username
group = www-data

While this works files created by PHP would have the ownership set to username:www-data while files uploaded via SCP will have username:username.

---

Option 2:

Add www-data to the supplementary group username:

listen.owner = username
listen.group = username
listen.mode = 0660

user = username
group = username

-

usermod -aG username www-data

---

Which of these options are secure? You may also share a better method.

I checked the following guides:

• http://www.howtoforge.com/php-fpm-nginx-security-in-shared-hosting-environments-debian-ubuntu
• http://www.binarytides.com/php-fpm-separate-user-uid-linux/

But they were all written before bug #67060 was discovered and fixed.

Answer 1

I am using following setup on my LEMP (Nginx + PHP-FPM). For Apache this should also be applicable.

PHP-FPM runs several pools as nobody:user1, nobody:user2 ...

Nginx runs as nginx:nginx

User nginx is a member of each user1, user2.. groups:

# usermod -a -G user5 nginx

File permissions:

root:root    drwx--x--x   /home
user1:user1  drwx--x---   /home/user1                       (1)
user1:user1   rwxr-x---   /home/user1/site.com/config.php   (2)
user1:user1  drwxrwx---   /home/user1/site.com/uploads      (3)
nobody:user1  rw-rw----   /home/user1/site.com/uploads/avatar.gif   (4)

(1) User's home dir has no x permission for other, so php-fpm pool running as nobody:user2 will not have access to /home/user1 and vice versa.

(2) php script doesn't have w for group, so it cannot create files in htdocs.

(3) On uploads dir we should manually enable write access for group user1, to enable php script to put files there. Don't forget to disable php handler for uploads, in nginx this is made by

server {
    ....
    location ^~ /uploads/ { }

but for Apache you should check.

(4) uploaded files should also have w for group if we want user1 to be able to edit these files later via ftp or ssh (logging in as user1:user1). Php code is also editable via ftp since user1 is its owner.

Nginx will have read access to all users and write access to all user's uploads since user nginx is a member of each user1, user2, ... groups. You should not forget to add it to all later groups. You can also modify useradd script to do it automatically.