Nginx/php-fpm user (www-data) SFTP best practices


#1

Hi All.

Before giving ee a go, i would setup nginx and php to be run under user account ‘deploy’ which i would setup and give SFTP access. This way, when I needed to make quick modifications to any file served I could do so without concern of the user:group being modifed.

How are you guys with the default ee setup going about SFTPing in and making changes? Are you not doing it? or are you doing it but only after giving the www-data user a password?

All ears. thanks guys!


#2

Hi,

By Default EasyEngine is not enbling www-data user for SFTP, You need to give SSH login and password for that.

For setup of SFTP using www-data user we follow this tutorial.


#3

So you already covered it in the docs! Great. I have done this in the past too, but it always felt sort of wrong, as if the www-data user should not be a user that has access. I guess this is more of a general SYSADMIN question then an EE specific one. But if you guys at rtCamp are doing it, sort of removes some of the sting for me, maybe I’ll just roll with that instead of creating a new user and modifying the configs.

One thing is for sure, I do like to SFTP into my web root via a GUI and mess with files from time to time, and I prefer to do that with little to no concern about user permissions, so perhaps this is inevitable then.

Thanks @gau1991


#4

Yes you are right. To sort of solve this, you can create a user let us bob and them to www-data user, so that he can access the webroot


#5

So just to be clear, you’re saying that maybe the best practice here (or at least what you guys are doing in the field) is to not setup a password for www-data to SFTP into the server, but instead to setup a new user belongs to the var-www group. If so, are you setting a sticky bit on the permissions?


#6

User permissions have always really confused me!

Would it be possible to add a new command to EasyEngine (something like ee user create simon) that would add a new user, set up SFTP access, and set all the correct user and file permissions so they can only create/edit/delete files within /var/www (and also allow WordPress to update any plugin/theme files that user has created)?


#7

ee user create simon

Excellent idea! :slight_smile:


#8

Hello!

Any improvement on plans about adding ee user create command? :slight_smile:

Thanks.


#9

I think the command should have the site in it as well, maybe the last variable. So you could create a user that has access to that specific site only.

ee user create simon example.com

ee user create john anothersite.com


#10

Old topic but came across while searching for SFTP… Is there any update about ee user module? Or did that fell of the “To do” list? :confused:


#11

If I add another user purely for sftp to put web files up they get denied access. Here is what I have used.

sudo useradd -d /var/www/ -s /bin/bash uploader or sudo useradd uploader … then sudo usermode -a -G www-data uploader

I can always login to to sftp, but I cant upload anything with the new user as I get a permission denied. Any thoughts, or logs, configs etc that would be helpful.


#12

Any word on this? This tutorial doesn’t work.


#13

I have this fixed by not giving www-data a password for security purposes. Instead, I gave it an ssh keyless login since /var/www itself is not publicly available.

/var/www/.ssh/authorized_keys

Though of course, you’ll need to do this:

To setup login shell change /usr/sbin/nologin to /bin/bash

And then finally disable plain text logins:

sudo nano /etc/ssh/sshd_config

ChallengeResponseAuthentication no
PasswordAuthentication no
UsePAM no

sudo service ssh restart