Recommended Ownership on WordPress, Varnish, Nginx, MySQL Stack

Posted December 27, 2013 6.5k views
I have a new droplet that will be running multiple client sites. I setup the server to use Varnish, Nginx and MySQL on the latest version of Ubuntu and server blocks in Nginx. While I have got it all working I'm not sure of the best way to handle ownership of folders. For instance, following best security practices I created a new user with sudo powers and disabled the root login. I also added and SSH key to that new user (as well as Authy 2-factor authentication) and disabled password authentication. So now I login to that new user and then run sudo su to run commands as root. Say I have a few sites such as /var/www/ /var/www/ /var/www/ Now I can create a separate user for each of those and assign that user/group to each of those site folders which allows me to edit those files through SFTP but then in WordPress I would run into issues where the webserver isn't running as www-data and thus won't be able to natively install plugins and such. I can set each of those to run as www-data:www-data which would avoid the WordPress issues but then I would be unable to easily edit files through SFTP (Transmit). While in general most changes would be through Git/Capistrano would want a way to edit on the fly through SFTP as well. Does anyone have recommendations on the best way to resolve this so that each WordPress site is running at as nginx which is www-data but also each site has their own ssh user so I can edit files through Transmit/SFTP program? Also want to make sure each of those SFTP users can only access their site and no others. Also I will want a single GIT user that will be able to deploy to all those sites as well as a single backup user that will be able to backup all the sites. Wouldn't need step by step instructions, rather looking more for the general theory on how to handle this user/group permissions wise. Thanks!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Submit an Answer
6 answers
Can't find an option to edit my original post so will add as a comment, but wanted to know that I tried for instance adding user1:www-data to the example1 site and user2:wwwdata to example 2 site and so one which in theory I would think would work since would allow one sftp user for each site as well as allowing nginx/webserver to read/write to the site, but when I tried that in WordPress it still asks me for ftp info to update plugins and such compared to when I had it set to www-data:www-data. Think I'm on to something there though.
Your best bet would be chowning each site to its own username:group e.g. site1:site1, adding www-data and git to the site1 group, and then allowing members of the site1 group to write to the files:
sudo chown -R g+w /path/to/site1
Wow I asked that on StackOverflow and got people directing me to existing complex unhelpful answers, and you have within almost the amount of tweet have provided a brilliant answer. Just finished transferring all my domains from MediaTemple since they were bought by GoDaddy, and simply loving DO!
Just to add the above gave an error that user g+w doesn't exist.

But this works:

sudo chmod -R g+w /path/to/site1
My bad, the command should be chmod, not chown. Glad I could help!

I’ve been having this problem for the last day since I setup my droplet.
Similar to the OP, I have nginx running Ubuntu.
I have a user with sudo power “jim”.
This user owns all the files and folders within the html directory that compromise the WordPress installation.

i’ve added this user to the www-data group, as well as the reverse so that.

jim@noise:/var/www/$ id jim
uid=1000(jim) gid=1001(jim) groups=1001(jim),33(www-data)
jim@noise:/var/www/$ id www-data
uid=33(www-data) gid=33(www-data) groups=33(www-data),1001(jim)

Still when trying to upload media or plugins from my computer I will get the error that The uploaded file could not be moved to wp-content/uploads.

The only way I can get uploads to work is by changing the ownership of the files and folders to jim:www-data, but as the OP noted this creates a permissions issue when trying to do anything via FTP.

From reading various threads this seems to be a recurring issue.