Prevent write access for php (fcgi) user to all files inside /public_html in default NGINX setup


With each Virtual Server Virtualmin creates new user and then PHP processes (when using NGINX / PHP FPM (fcgi)) are run using this user. What I fond problematic is that with this setup webserver (php) user can write to all folders / files inside /public_html by default. This creates security issue, since when website is compromised the attacker can change any file inside virtual server.

Normally with mod_php webserver all processes are run with same user (www-data, nobody, …) and processes have write access only when you chmod 777. But with fpm / fcgi owner of files is same as webserver user so changing chmod doesn’t protect files to be modified by attacker.

What would be the recommended step to achieve same protection as with mod_php while still having separate users per virtual server? If I change owner of the files inside /public_html this creates a problem, since owner of virtual server can not edit files trough ftp / ssh anymore.

Ideal solution would be IMHO that when creating new Virtual Server with associated user, that default fcgi process created by Virtualmin wouldn’t be able to write to files / folders where not explicitly allowed with chmod (as with mod_php) but at the same time still using different user for each Virtual server which I think is still benefit of fcgi model over mod_php where all webserver processes are run with same user (that’s not good either).

I know this can be tweaked, but I am talking about default behavior, when Virtualmin creates unix socket such as fastcgi_pass unix:/var/php-nginx/151896763827339.sock/socket; for each virtual webserver.

I am not sure what would be the best approach to solve this and should Virtualmin address this issue in new versions to decrease vulnerability of websites by default. Any ideas?


“If I change owner of the files inside /public_html this creates a problem, since owner of virtual server can not edit files trough ftp / ssh anymore.”

This could be the solution. A change of the virtual server’s files owner, and optionally giving that virtual server owner access to that account explicitly. A menu can provide a virtual server owner with “File Modifications Rights” adding that user. Some owners could do better without that and in some cases it may be better to give it temporarily or restrict access.

Yes that would be a solution. New option while creating / editing Virtual Server, to optionally choose by which user PHP processes would be run. So I could choose www-data or create a new user inside VS and assign it. And then change files permissions accordingly.

If I am not mistaken, there is no option in current interface to choose system user which will be owner of PHP FPM processes, is there?