Why doesn't chown -R root:www-data work on my Wordpress installation?
Quite some time ago, I was following this tutorial which showed me how to install Wordpress on an NGINX + Ubuntu (LEMP) setup:
I got stuck on this portion for quite some time back then as I used
root as the user for this instruction snippet below:
The group that nginx operates under is www-data. For the user portion, enter your user account name. We will demonstrate with an account called demo here: sudo chown -R demo:www-data /var/www/html/*
To clarify, it didn't give me any errors or anything, but what I found out was that if I used root:www-data for my file ownership settings, I wouldn't be able to add / update plugins / edit code on the site. It would always prompt me for FTP / SFTP details, in which it would fail even if i entered the correct credentials due to the permissions being
drwxr-xr-x (Owner has write permission).
So i tried this:
sudo chown -R www-data:www-data /var/www/html/*
and it worked -- I was able to write / update plugins freely as the Wordpress site admin.
However, I now have a roughly better understanding of how ownership and groups work, and I'm concerned that by doing
chown -R www-data:www-data, I opened a security flaw on my own.
Am I doing it right? Why didn't
root:www-data work for being able to update the site in the first place?