Whats is the best user to manage webserver? [duplicate]
While the What's the best way of handling permissions for Apache 2's user www-data in /var/www? discuss through the permission issue quite well, it's almost 9 years old and doesn't follow the current best practices. I'll answer the question: What is the best way to do this securely?
As discussed on meta, the moved and improved version of this answer is here.
Have separate user for every site i.e. don't serve all sites using
www-data
. This is important, as with your WordPress (or any other CMS) your Apache is not serving static content files, but running PHP. If you have a security problem on a single site, it can spread to every site that is running as the same user.-
Uploading files via FTP is not secure as it sends both the passwords and the content in plain text. E.g. the WordPress you are hosting has database login information in
wp-config.php
. You should be using SSH File Transfer Protocol (SFTP), instead.This way you can also add public keys of your site administrators to
~/.ssh/uthorized_keys
, making it unnecessary for them to know the password for the user the site is running on. (See How To Set Up SSH Keys on Ubuntu 16.04). The personal public SSH key can be used across multiple sites for easy & fast access, reducing the extra burden of having multiple accounts. -
Use PHP-FPM. It's the current approach for running PHP as the user. Create a new pool for every user i.e. one pool per every site. This is the best for both security and performance, as you can also specify how much resources a single site can consume.
See e.g. NeverEndingSecurity's Run php-fpm with separate user/uid and group on linux. There are tutorials like HowtoForge's Using PHP-FPM with Apache on Ubuntu 16.04 that doesn't use PHP-FPM for increasing security through user separation, guiding to use a single FPM socket across the server.