I'm just setting up nginx on my web server, and I created a user account for it to use (nginx). However, it runs its worker processes by default as www-data. Is there any disadvantage to using www-data, or should I leave it at that? And who should the files be owned by? Also, the master process is owned by root (to open sockets, I believe). Is there any harm in this, and would it be better to give the nginx (or www-data, but I suspect not) users sudo permissions? In addition, is there anything else I should be doing to secure the server other than locking down the user and file permissions? I haven't installed PHP or MySQL yet, I'll worry about securing those when install them.
Thanks for your help; the webserver setup guides I've found so far didn't have any permission guidelines, but I'm certain I need to do something with them.
It's normal that the master process is owned by root. This is neccessary for it in order to bind to a privileged port (privileged ports are ports < 1024).
If the user for nginx is called www-data, nginx or something else doesn't make any difference. HTML files can be owned by a different user (like an FTP user) and have 644-permissions.
You don't have to worry too much about nginx security, as plain serving of websites usually isn't your main concern. The real security problems arise with PHP and MySQL, and these services should be secured very carefully.