PHP has write access to entire web root

[culturedsys]

Currently, PHP-FPM is set up to run as web_user, which is the same user that owns the files in the web root. This means that PHP code can modify any file in the web root. This is a potential security problem, because it means that, if there is a vulnerability in WordPress or a plugin, that can be used to make long-lasting changes, such as inserting a backdoor or serving spam. The recommended configuration is to have the PHP process run as a different user from the user that owns the files, and specifically enable PHP to write only to those places it actually needs to, i.e., the uploads folder. See e.g: http://codex.wordpress.org/Hardening_WordPress#File_Permissions

This bug was introduced in response to #174 , in order to allow WordPress to write to the uploads directory. A better solution, I think, would be to change the permissions on the uploads directory only to allow the www-data group to write only to that directory, and not to the rest of the web root.

[jameskraus]

A lot of plugins require write access to the web root to get full functionality. e.g. symlinking a db.php in place for query-monitor or W3TC. This might not work well for the majority of users.

[perifer]

Could it be an alternative to let security concerned users of Trellis opt out of having the web root owned by the same user that runs the PHP process?