How should I structure my users/groups/permissions for a web server?
Solution 1:
If your web server can write to all of your files, then the site isn't necessarily secure; any (known or unknown) exploit against nginx, PHP (or Rails or whatever stack etc.) or the web applications you may be using means that an attacker can write to everything.
The most secure method is to have all files owned by a user other than the user that the web server (and PHP etc.) runs as, and only make things writable that must be writable for the application to function, such as user upload directories.
For instance, on my web server, nginx runs as user nginx, php-fpm also runs as user nginx, and all files are owned by my own user account except for the upload directories, which are owned by nginx so that my web app's file upload features work.
Whenever I use SFTP, I login with my own user account, and I su
to root to change ownership of such upload directories (such as WordPress /wp-content/uploads
directory). Most web applications will print a warning during installation when a file or directory needs to be writable.