Nginx File owner and web users question

sds · Aug 11, 2022

I am in the middle of trying to close a wordpress hack. As such, I'm evaluating users/file owners/permissions. I read this and it seems reasonable. CMM has everything owned by nginx:nginx. This write-up recommends against it and has recommendations for the specifying the web user. Why should I not follow this advice? Is it unnecessary?

NGINX and PHP-FPM. What my permissions should be? - GetPageSpeed

eva2000 · Aug 11, 2022

sds said: ↑

I am in the middle of trying to close a wordpress hack. As such, I'm evaluating users/file owners/permissions.
Click to expand...

Are you able to provide details of the hack and how it came to be?

How was Wordpress installed, and what plugins were used?

Was it on a server you only had access to or did other admins and site owners had access to as well?

and
Is this a hack on a Centmin Mod powered server? If it was, I can offer to log into your server and take a quick look to see if I can find their entry point for you.

Was the Wordpress site created using Centmin Mod's centmin.sh menu option 22 Wordpress auto installer https://community.centminmod.com/th...l-vs-centmin-sh-menu-option-22-install.15435/ or was it a Wordpress installation migrated from a non-Centmin Mod powered server to Centmin Mod?
If it was Centmin Mod centmin.sh option 22 based, the installer would create a wpinfo.sh script at /usr/local/nginx/conf/wpincludes/ will when run will provide output summary of your Wordpress install, you can see and provide a list of plugins and themes from that output (not the sensitive info don't post that publicly) i.e. for wpce.domain.com created Wordpress site
Code (Text):
/usr/local/nginx/conf/wpincludes/wpce.domain.com/wpinfo.sh
WP-CLI 2.6.0
WP-Home    http://wpce.domain.com
WP-SiteURL http://wpce.domain.com
WordPress  version:   6.0
Database   revision:  51917
TinyMCE    version:   4.9110  (49110-20201110)
Package    language:  en_US
+--------+------------------------------------+--------------+-----------------------------+---------------------+---------------+
| ID     | user_login                         | display_name | user_email                  | user_registered     | roles         |
+--------+------------------------------------+--------------+-----------------------------+---------------------+---------------+
| 173432 | zxiJECpWGdHf0YFeijqCOhIy9Fxtwp4317 | George       | user@domain.com | 2022-06-06 16:33:04 | administrator |
+--------+------------------------------------+--------------+-----------------------------+---------------------+---------------+
+----------------------+------------------------------------------------------------------+----------+
| name                 | value                                                            | type     |
+----------------------+------------------------------------------------------------------+----------+
| table_prefix         | 22188_                                                           | variable |
| WP_CACHE             | 1                                                                | constant |
| DB_NAME              | wp2529014860db_9123                                              | constant |
| DB_USER              | wpdb9123u28826                                                   | constant |
| DB_PASSWORD          | wpdb6n6RDfPwGd5s5NeurQp8095                                      | constant |
| DB_HOST              | localhost                                                        | constant |
| DB_CHARSET           | utf8                                                             | constant |
| DB_COLLATE           |                                                                  | constant |
| DISABLE_WP_CRON      |                                                                  | constant |
| WP_AUTO_UPDATE_CORE  | minor                                                            | constant |
| WP_POST_REVISIONS    | 10                                                               | constant |
| EMPTY_TRASH_DAYS     | 10                                                               | constant |
| WP_CRON_LOCK_TIMEOUT | 60                                                               | constant |
| CONCATENATE_SCRIPTS  |                                                                  | constant |
| AUTH_KEY             | z/SE4bDs}_vhtw>N}^ejsNa[H#=K{WiM&S j=+X]^)<y=A<pe[;YRekl(qeD+!P| | constant |
| SECURE_AUTH_KEY      | VJO3LG+.#/^<`UMFp8cbqobj>rom9NA*]KG-[37Hti[z7ju%JCsW_equ{v*)LvV( | constant |
| LOGGED_IN_KEY        | HYzWiV1$S9s@W@)p]PLUa.x=z)hOZuEb%OtJ0lplI->r>IZUC>AJ=n6f{) ^c|ef | constant |
| NONCE_KEY            | 9-.v@5pema/~c2rVJsSpvAN1PT>&zr_xi<r#/KqJ5geTbZbM)#Vu==5=Bz1J}=(/ | constant |
| AUTH_SALT            | ^@3nJcME0SVv@]*!rxZ+.S&RBu%XTV9lPXXZ@nO>;O]H09@^}im~p$s (-XI*@,0 | constant |
| SECURE_AUTH_SALT     | xk);Hi2K:H=d}]S/8b|qW.GCz}`UF2($Lc;u_~7W_dovXwCZZ;KvpGm(ZETjUOmr | constant |
| LOGGED_IN_SALT       | B<#CE6`P|U0jk;UL+7Fa$bJA-T=+nrYA(BTk|9Mc4._Rj#eb;:Kc%(,G_8:GWvO` | constant |
| NONCE_SALT           | tE&1D8Zo9QB%/Eh`q[ukNUiJ!-XV:/]K6Wbl<q+]ypD%1(]j4TrvxQ0<]6`Mm{[? | constant |
| WP_CACHE_KEY_SALT    | mq`%/-9^Hcy5TMI3z?zBC/RK^GsP uZpo*qpb~k^Jlp 6TN,iL oq8S<hutIbr1< | constant |
| WP_DEBUG             |                                                                  | constant |
+----------------------+------------------------------------------------------------------+----------+
+-------------------------------+----------+--------+---------+
| name                          | status   | update | version |
+-------------------------------+----------+--------+---------+
| akismet                       | inactive | none   | 4.2.4   |
| autoptimize                   | active   | none   | 3.0.4   |
| autoptimize-gzip              | active   | none   | 0.1     |
| block-specific-plugin-updates | active   | none   | 3.2     |
| cache-enabler                 | active   | none   | 1.4.9   |
| cdn-enabler                   | active   | none   | 2.0.5   |
| classic-editor                | active   | none   | 1.6.2   |
| disable-xml-rpc               | active   | none   | 1.0.1   |
| sucuri-scanner                | active   | none   | 1.8.30  |
| advanced-cache.php            | dropin   | none   |         |
+-------------------------------+----------+--------+---------+
+-----------------+----------+--------+---------+
| name            | status   | update | version |
+-----------------+----------+--------+---------+
| twentytwenty    | inactive | none   | 2.0     |
| twentytwentyone | inactive | none   | 1.6     |
| twentytwentytwo | active   | none   | 1.2     |
+-----------------+----------+--------+---------+
If it was non-Centmin Mod, was it another LEMP stack control panel or your own LEMP setup?
Some background details might help too
Which version of Centmin Mod are you using? 123.08stable, 123.09beta01, 124.00stable or 130.00beta01?
For the latter 3 versions, you can run this command and share the output for the versions history listed
Code (Text):
cminfo versions
sds said: ↑

CMM has everything owned by nginx:nginx. This write-up recommends against it and has recommendations for the specifying the web user. Why should I not follow this advice? Is it unnecessary?
Click to expand...

The current answer lies in Centmin Mod's development history as it's a fork of the original Centmin project so the vhost structure originated there - see https://community.centminmod.com/threads/jailed-chrooted-sftp-ssh-user-nginx-vhost-menu.8/ and my history on focusing on performance and scalability of servers for forum community centric users https://community.centminmod.com/threads/history-of-centmin-mod-from-2011.22733/

eva2000 said: ↑

So up until now, Centmin Mod’s core Nginx structure is derived from the original script’s default structure – that being of intended use by one administrator (root user) to manage one’s own group of Nginx powered domains/sites from the base directory structure of /home/nginx/domains/domainname.com. There were no individual user accounts nor was there individual ftp account access. It was all done from the root user and SCP/SFTP. Centmin Mod’s FAQ item #2 reflected such specifically mentioning that Centmin Mod was not suited to shared hosting as there was no jailed or chrooted user accounts set up.
Click to expand...

So even the FTP user that is created by Centmin Mod isn't an actual Linux user but a Pure-Ftpd virtual FTP user https://community.centminmod.com/th...-sftp-ssh-user-nginx-vhost-menu.8/#post-10139

It is necessary if you intend to some form of shared hosting or hosting sites you do not 100% administer or control yourself.

As it stands, Centmin Mod was never intended for shared hosting as reflected in Centmin Mod’s FAQ item #2 and doesn't create an actual Linux user for each site, so that's why there aren't per-user PHP-FPM pools. To do so would need a total rewrite of Centmin Mod's Nginx vhost creation setup - there are plans for this eventually though as I've tried various ways which I am currently not satisfied with from both my developer end and also with Centmin Mod end users complications/issues in mind - including breaking existing Centmin Mod Nginx vhost setups. So not ruling it out.

I have experimented with it in looking at chroot/jailed Centmin Mod Nginx sites - see the last experiment which is old at https://community.centminmod.com/th...-sftp-ssh-user-nginx-vhost-menu.8/#post-33453

But there are performance limitations of doing per-user PHP-FPM pools as they'd have to be run via PHP-FPM unix sockets. In the article see the listen directive uses a Unix socket rather than a TCP listener on a port
Code (Text):
listen = /var/run/php-fpm/example.com.sock
listen.owner = example
listen.group = example
listen.mode = 0660
user = example
group = example
You can see the difference in scalability for TCP vs Unix Sockets for PHP-FPM in benchmarks at https://community.centminmod.com/th...e-vs-webinoly-vs-vestacp-vs-oneinstack.14988/ where OneInStack's PHP-FPM Unix socket implementation fails to scale and results is slower PHP response times in high concurrent user loads in 1,000, 2,000 and 5,000 user concurrency PHP-FPM load tests with PHP-FPM Unix socket setup only successfully processing 30-42% of the requests compared to 95-100% of requests for PHP-FPM TCP implementations like on Centmin Mod and other LEMP stacks. What this means is you potentially need much beefier spec hardware for servers running with PHP-FPM Unix socket to get closer to PHP-FPM performance of a PHP-FPM TCP based setup.

Mostly likely how I'd tackle this is to offer up both Nginx vhost creation methods, existing PHP-FPM TCP nginx user and new per user PHP-FPM Unix socket pools, but really do that you'd need 2 PHP-FPM master/service instances which also means more PHP-FPM resources consumed (on top of PHP-FPM Unix Sockets requiring more hardware resources to scale at the high concurrency end).

sds · Aug 11, 2022

eva2000 said: ↑
Are you able to provide details of the hack and how it came to be?

How was Wordpress installed, and what plugins were used?

Was it on a server you only had access to or did other admins and site owners had access to as well?

and
Is this a hack on a Centmin Mod powered server? If it was, I can offer to log into your server and take a quick look to see if I can find their entry point for you.

Was the Wordpress site created using Centmin Mod's centmin.sh menu option 22 Wordpress auto installer https://community.centminmod.com/th...l-vs-centmin-sh-menu-option-22-install.15435/ or was it a Wordpress installation migrated from a non-Centmin Mod powered server to Centmin Mod?
If it was Centmin Mod centmin.sh option 22 based, the installer would create a wpinfo.sh script at /usr/local/nginx/conf/wpincludes/ will when run will provide output summary of your Wordpress install, you can see and provide a list of plugins and themes from that output (not the sensitive info don't post that publicly) i.e. for wpce.domain.com created Wordpress site
Code (Text):
/usr/local/nginx/conf/wpincludes/wpce.domain.com/wpinfo.sh
WP-CLI 2.6.0
WP-Home    http://wpce.domain.com
WP-SiteURL http://wpce.domain.com
WordPress  version:   6.0
Database   revision:  51917
TinyMCE    version:   4.9110  (49110-20201110)
Package    language:  en_US
+--------+------------------------------------+--------------+-----------------------------+---------------------+---------------+
| ID     | user_login                         | display_name | user_email                  | user_registered     | roles         |
+--------+------------------------------------+--------------+-----------------------------+---------------------+---------------+
| 173432 | zxiJECpWGdHf0YFeijqCOhIy9Fxtwp4317 | George       | user@domain.com | 2022-06-06 16:33:04 | administrator |
+--------+------------------------------------+--------------+-----------------------------+---------------------+---------------+
+----------------------+------------------------------------------------------------------+----------+
| name                 | value                                                            | type     |
+----------------------+------------------------------------------------------------------+----------+
| table_prefix         | 22188_                                                           | variable |
| WP_CACHE             | 1                                                                | constant |
| DB_NAME              | wp2529014860db_9123                                              | constant |
| DB_USER              | wpdb9123u28826                                                   | constant |
| DB_PASSWORD          | wpdb6n6RDfPwGd5s5NeurQp8095                                      | constant |
| DB_HOST              | localhost                                                        | constant |
| DB_CHARSET           | utf8                                                             | constant |
| DB_COLLATE           |                                                                  | constant |
| DISABLE_WP_CRON      |                                                                  | constant |
| WP_AUTO_UPDATE_CORE  | minor                                                            | constant |
| WP_POST_REVISIONS    | 10                                                               | constant |
| EMPTY_TRASH_DAYS     | 10                                                               | constant |
| WP_CRON_LOCK_TIMEOUT | 60                                                               | constant |
| CONCATENATE_SCRIPTS  |                                                                  | constant |
| AUTH_KEY             | z/SE4bDs}_vhtw>N}^ejsNa[H#=K{WiM&S j=+X]^)<y=A<pe[;YRekl(qeD+!P| | constant |
| SECURE_AUTH_KEY      | VJO3LG+.#/^<`UMFp8cbqobj>rom9NA*]KG-[37Hti[z7ju%JCsW_equ{v*)LvV( | constant |
| LOGGED_IN_KEY        | HYzWiV1$S9s@W@)p]PLUa.x=z)hOZuEb%OtJ0lplI->r>IZUC>AJ=n6f{) ^c|ef | constant |
| NONCE_KEY            | 9-.v@5pema/~c2rVJsSpvAN1PT>&zr_xi<r#/KqJ5geTbZbM)#Vu==5=Bz1J}=(/ | constant |
| AUTH_SALT            | ^@3nJcME0SVv@]*!rxZ+.S&RBu%XTV9lPXXZ@nO>;O]H09@^}im~p$s (-XI*@,0 | constant |
| SECURE_AUTH_SALT     | xk);Hi2K:H=d}]S/8b|qW.GCz}`UF2($Lc;u_~7W_dovXwCZZ;KvpGm(ZETjUOmr | constant |
| LOGGED_IN_SALT       | B<#CE6`P|U0jk;UL+7Fa$bJA-T=+nrYA(BTk|9Mc4._Rj#eb;:Kc%(,G_8:GWvO` | constant |
| NONCE_SALT           | tE&1D8Zo9QB%/Eh`q[ukNUiJ!-XV:/]K6Wbl<q+]ypD%1(]j4TrvxQ0<]6`Mm{[? | constant |
| WP_CACHE_KEY_SALT    | mq`%/-9^Hcy5TMI3z?zBC/RK^GsP uZpo*qpb~k^Jlp 6TN,iL oq8S<hutIbr1< | constant |
| WP_DEBUG             |                                                                  | constant |
+----------------------+------------------------------------------------------------------+----------+
+-------------------------------+----------+--------+---------+
| name                          | status   | update | version |
+-------------------------------+----------+--------+---------+
| akismet                       | inactive | none   | 4.2.4   |
| autoptimize                   | active   | none   | 3.0.4   |
| autoptimize-gzip              | active   | none   | 0.1     |
| block-specific-plugin-updates | active   | none   | 3.2     |
| cache-enabler                 | active   | none   | 1.4.9   |
| cdn-enabler                   | active   | none   | 2.0.5   |
| classic-editor                | active   | none   | 1.6.2   |
| disable-xml-rpc               | active   | none   | 1.0.1   |
| sucuri-scanner                | active   | none   | 1.8.30  |
| advanced-cache.php            | dropin   | none   |         |
+-------------------------------+----------+--------+---------+
+-----------------+----------+--------+---------+
| name            | status   | update | version |
+-----------------+----------+--------+---------+
| twentytwenty    | inactive | none   | 2.0     |
| twentytwentyone | inactive | none   | 1.6     |
| twentytwentytwo | active   | none   | 1.2     |
+-----------------+----------+--------+---------+
If it was non-Centmin Mod, was it another LEMP stack control panel or your own LEMP setup?
Some background details might help too
Which version of Centmin Mod are you using? 123.08stable, 123.09beta01, 124.00stable or 130.00beta01?
For the latter 3 versions, you can run this command and share the output for the versions history listed
Code (Text):
cminfo versions
The current answer lies in Centmin Mod's development history as it's a fork of the original Centmin project so the vhost structure originated there - see https://community.centminmod.com/threads/jailed-chrooted-sftp-ssh-user-nginx-vhost-menu.8/ and my history on focusing on performance and scalability of servers for forum community centric users https://community.centminmod.com/threads/history-of-centmin-mod-from-2011.22733/

So even the FTP user that is created by Centmin Mod isn't an actual Linux user but a Pure-Ftpd virtual FTP user https://community.centminmod.com/th...-sftp-ssh-user-nginx-vhost-menu.8/#post-10139

It is necessary if you intend to some form of shared hosting or hosting sites you do not 100% administer or control yourself.

As it stands, Centmin Mod was never intended for shared hosting as reflected in Centmin Mod’s FAQ item #2 and doesn't create an actual Linux user for each site, so that's why there aren't per-user PHP-FPM pools. To do so would need a total rewrite of Centmin Mod's Nginx vhost creation setup - there are plans for this eventually though as I've tried various ways which I am currently not satisfied with from both my developer end and also with Centmin Mod end users complications/issues in mind - including breaking existing Centmin Mod Nginx vhost setups. So not ruling it out.

I have experimented with it in looking at chroot/jailed Centmin Mod Nginx sites - see the last experiment which is old at https://community.centminmod.com/th...-sftp-ssh-user-nginx-vhost-menu.8/#post-33453

But there are performance limitations of doing per-user PHP-FPM pools as they'd have to be run via PHP-FPM unix sockets. In the article see the listen directive uses a Unix socket rather than a TCP listener on a port
Code (Text):
listen = /var/run/php-fpm/example.com.sock
listen.owner = example
listen.group = example
listen.mode = 0660
user = example
group = example
You can see the difference in scalability for TCP vs Unix Sockets for PHP-FPM in benchmarks at https://community.centminmod.com/th...e-vs-webinoly-vs-vestacp-vs-oneinstack.14988/ where OneInStack's PHP-FPM Unix socket implementation fails to scale and results is slower PHP response times in high concurrent user loads in 1,000, 2,000 and 5,000 user concurrency PHP-FPM load tests with PHP-FPM Unix socket setup only successfully processing 30-42% of the requests compared to 95-100% of requests for PHP-FPM TCP implementations like on Centmin Mod and other LEMP stacks. What this means is you potentially need much beefier spec hardware for servers running with PHP-FPM Unix socket to get closer to PHP-FPM performance of a PHP-FPM TCP based setup.

Mostly likely how I'd tackle this is to offer up both Nginx vhost creation methods, existing PHP-FPM TCP nginx user and new per user PHP-FPM Unix socket pools, but really do that you'd need 2 PHP-FPM master/service instances which also means more PHP-FPM resources consumed (on top of PHP-FPM Unix Sockets requiring more hardware resources to scale at the high concurrency end).
Click to expand...
I apologize for putting this in the wrong place. Please move if you want.

1. I don't know the attack vector yet. Been fighting this for two months.
2. Wordpress was installed on my own before I moved to CMM. I have multiple sites. Shuttered many of them recently. The plug-ins vary from site to to site. My remaining three sites all show penetrations from time to time. So, someone is moving around from directory to directory.
3. I'm the only admin, except for Matt Services, who does sysadmin for me.

1. Yes. It is a CMM. I had Matt set this up for me.You are welcome to look around.
2. No. I set all instances up on my own. I use Genesis themes. Plug-in use is not extensive (I don't think).
3. N/A
4. I guess this specific LEMP server was setup fresh by Matt using CMM. I have migrated from different servers over the years. Now with Hivelocity. No control panel.

1/2:
1st:
123.09beta01.b573 #Tue Sep 1 08:28:19 EDT 2020
..
last 10:
123.09beta01.b573 #Tue Sep 1 08:28:19 EDT 2020
123.09beta01.b573 #Tue Sep 1 15:16:29 UTC 2020
123.09beta01.b589 #Fri Sep 18 14:36:47 UTC 2020
123.09beta01.b608 #Sat Feb 27 08:17:23 UTC 2021
123.09beta01.b655 #Sat Feb 27 08:25:45 UTC 2021
123.09beta01.b655 #Sat Feb 27 08:57:54 UTC 2021
123.09beta01.b655 #Sat Feb 27 09:01:43 UTC 2021
123.09beta01.b792 #Mon Feb 7 11:40:03 UTC 2022
123.09beta01.b792 #Mon Feb 7 11:54:03 UTC 2022

I hope this was helpful.

eva2000 · Aug 12, 2022

123.09beta01 is old now, 124.00stable and 130.00beta01 have been released https://community.centminmod.com/threads/centmin-mod-124-00stable-130-00beta01-releases.22673/ though probably not related to your issues.

If you had installed Wordpress on your own on non-Centmin Mod server prior, that it's also probably you brought alone hacked/compromised Wordpress instances to Centmin Mod server. With access, I can do a quick looksy just to see. @sds sent you a private conversation message here as well.

Log in / Register

Forums

Join the community today

Nginx File owner and web users question

sds New Member

eva2000 Administrator Staff Member

sds New Member

eva2000 Administrator Staff Member

.

Log in / Register

Useful Searches

Join the community today

Nginx File owner and web users question

sds New Member

eva2000 Administrator Staff Member

sds New Member

eva2000 Administrator Staff Member

.