NGINX/FilePermissions

Description

This configuration guarantee proper directory security to prevent webserver files being listed in a security breach.

It reduces the chance of an attacker read configuration files inside the webservice, and get confidential data, as a database password.

Rationale

If the permissions aren’t set, you will be vulnerable to directory listing, and attackers can edit files from the FTP, or directly connect to your SSH server via reverse shell, this recommendation correct a several webserver faults that can open a breach to attackers. And prevent the confidential config files from being read.

The NGINX config file must owned by root, only writable by owner, and not write and readable by others.

Set files and folders inside /etc/nginx/ and /usr/share/nginx/ to be owned by root and remove read and write permissions for other users.

Set read permissions to other users in the caches folders.

For this run the command nginx -V and look for the directories listed below:

http_scgi_temp_path
http_proxy_temp_path
http_log_path
http_fastcgi_temp_path
http_client_body_temp_path
error_log_path