During testing I have noticed that, side by side with nobleness of automation of creating all things associated with vhost and website, I've got
PHP scripts being run by user that owns files and folders under the newly created vhost, instead of
That means following: hacked (for example) Wordpress may plant webshell programs to vhost directories. Not just that, it may alter legal files and inject malicious content.
I have to say I haven't had setups like this before - scripts were run by web user (
www-data) and owned by their system users, precisely in order to make mentioned scenario impossible.
Now, I'm not smarter than folks that have developed this - so I'm asking:
what can be done to reduce/contain/minimize obvious risk of this setup / is there a Virtualmin magic feature that keeps this under control?
Thanks in advance.