Best practice setting users and permissions for multiple Wordpress sites

November 15, 2016 2k views
WordPress Nginx Getting Started Security Apache Ubuntu 16.04

Hi everyone,

I could use a little advise regarding running multiple Wordpress sites on a single server, as multiple users, and making sure the webserver has the proper permissions to make changes while making sure security is in order.

What I like to achieve... A configuration in which I can use a user per website, and where the webserver can make changes (i.e. uploading media, plugins, etc), without relying on chmod (not having to use chmod at all feels better). Where the user can make changes to it's directory (e.g. a git working directory for automatic deployments). When the users can't change each other files.

I wonder... Is the configuration described below a proper one? Should I do something differently? Are there better solutions?

Some backstory... For a while now I have been setting up servers for websites and web apps. Most of the time I run multiple websites from the same server. Could be a staging and production environment, but also different (client) websites. Sometimes I add CI to the mix using CircleCI. Basically CircleCI pushes to a repository on the server, this repo then updates the working directory which could be a web app or Wordpress theme. Everything currently works okay, although I think security, and how things are set up, could be improved.

Currently my configuration often looks like...

Users

somewebsite 
# User on the server with the directory `/var/www/somewebsite`

someotherwebsite
# Another user on the server with the directory `/var/www/someotherwebsite`

When needed I use these users to make changes to the contents.

Directories

/var/www/somewebsite/html 
# Wordpress website

/var/www/somewebsite/somewebsite.git 
# Git repo with a working dir set to `/var/www/somewebsite/html/wp-content/themes/sometheme`

/var/www/someotherwebsite/html
# Some other website

/var/www/yetanotherwebsite/html
# Yet another Wordpress website

Permissions
The contents of /var/www/somewebsite/html, /var/www/someotherwebsite/html, and /var/www/yetanotherwebsite/html belong to the user and group www-data. Although, when I would upload something manually later, this upload (logically) belongs to the user I am using for access (not www-data).

The users somewebsite, someotherwebsite, and yetanotherwebsite have been added to the www-data group. I believe this means someotherwebsite could make changes to somewebsite (and vice versa). Which would be better if it couldn't.

Trivia

  • Depending on the requirements I use Apache or nginx.
  • SSH keys are used for authentication, Password Authentication is disabled.

I understand my current configuration isn't the most straightforward one. I do hope I clarified the most of it.

I read a lot of information regarding the subject. But It's hard to find something which is applicable to my situation. This tutorial was very useful https://www.digitalocean.com/community/tutorials/how-to-set-up-multiple-wordpress-sites-on-a-single-ubuntu-vps.

Any tips, feedback and insights are welcome!

2 Answers

Realise this is a little late, but people could still turn up from Google...

Why not just invert it?

Something like:

/var/www/app1   770     app1:app1
/var/www/app2   770     app2:app2

app1 group members:
    - app1
    - www-data

app2 group members:
    - app2
    - www-data

app1 can change anything in:
    - /var/www/app1

app2 can change anything in:
    - /var/www/app2

www-data can change anything in:
    - /var/www/app1
    - /var/www/app2

Technically speaking, this still isn't a great setup, as www-data is by design an unprivileged user:group, and should the www-data user be compromised you're in for a world of hurt, so shouldn't be given blanket control of anything, but that's outside the scope of this question.

Yes. With your current setup theoretically one user could modify another user's files. Having these permissions all within the www-data group is important so that the web server has permission to write and modify the files it needs to so your best bet may be to give your users ssh/sftp chroots which would lock their ssh/sftp access to their site's directory and only allow them access to those files. The group could remain www-data for apache while the users would have the ability to access any files in their directory. Something like this in your ssh server configuration would do the trick:

Match User john
    ChrootDirectory /home/john
    ForceCommand internal-sftp
    AllowTCPForwarding no
    X11Forwarding no

More information can be found here

Have another answer? Share your knowledge.