What User Should NGinx and PHP be running as?

Solution 1:

This is how this works: When you login via FTP/SSH and upload files, they are created with your permissions. Probably your webroot is world writable (0777), that is insecure - every user in system can write something there. PHP runs with different user privileges (They are specified in PHP-FPM config, not nginx config), and as directory is world writable, PHP user (www-data) can also write there. But owner of this file is www-data, not your account. They are 2 distinct accounts in filesystem permission level.

I suggest you to create dedicated user with least possible privileges, which would own webroot directory and would be used for FTP/SSH upload AND would run php. You should change PHP-FPM config, in worker section there are user entry and NGINX config, so you can make your website files not-world-readable and more secure.

Don`t run PHP with privileged (sudo capablities, write privileges outsite docroot) user, that could cause server security compromise.

Solution 2:

The www-data user & group are quite standard. It may be www or web on other systems but the idea is the same: Run the web services with a dedicated account. Thus, when your web server is compromised, the attacker will only be able to access the files that this account has been granted.

If a user has to manage the web services, you should add the user to the relevant group (www-data) or allow him to su (or sudo) to the relevant user (still www-data).