This short article is about possible problems you can encounter if you run php-fpm engine in a chroot'ed environment.
Basic explantation about advanced things.
Even if you are a newbie in tech terms, you may seen term "jailbreak", and you may know that it leads to full access to protected phone/other devices; so if serious corporations trust in "jail" why not use it for isolation of your website? Basic idea about creating confined environment is to restrict visibility of filesystem to certain folder and to forbid accessing anything outside it, if talking about Linux, first is done by executing chroot() system call, the success of second goal depends on how your chrooted folder will be restricted, if one has root inside chroot - its possible to get out, if one does not have root inside chroot and there is no way to get uid 0, and no way to mknod() or access raw system devices, then you can consider your chroot folder as being unbreakable. For BSD systems there is a even better chroot available - jail, it is more difficult go get out, even if one has superuser inside chroot, but for a php-fpm Linux chroot suffice to be unbreakable.
Why would you like to isolate your web site? Just because its a public service, if you use your server for anything else, a compromised website can let hacker access your other data.
Its known that some people run apache web server chroot'ed, for HighLoad model it is even easier to run it in a more secure way, basically static web server is safe enough to trust in it, while scripts are the major risk. What executes your scripts? Most likely its PHP interpreter (85% popularity according to some researches, so its a "people choice"), so only PHP has to be chroot'ed, while with mod_php (apache) you have to confine entire web server for that, for PHP-FPM you can use chroot = directive, to put your server into chroot, thats all, you can even run different pools with different user ids in a different chroot's. Is that nice? Yes.
But, by doing this you will find that some things are broken....
ISSUE ONE: nginx.conf fastcgi_param SCRIPT_FILENAME needs to be relative to chroot'ed path now, just truncate and it will do
ISSUE TWO: domain name resolver does not work
ISSUE THREE: mail does not work
ISSUE X: using some functionality provided by external programs does not work (i.e. imagemagick)
those are solved by creating a basic filesystem inside chrooted folder, there is a minimal list that will be needed:
/dev
with: null zero urandom
/etc
group host.conf hostname hosts localtime networks nsswitch.conf passwd protocols resolv.conf services
Most likely you want to truncate group and passwd to entries relevant to your web and delete the rest
/lib (or /lib64)
see your /etc/nsswitch.conf which libnss_* files to copy (you will need at least libnss_dns for resolver to work), even if you are usng statically linked programs, libnss_* are dynamically loaded. Make sure you put dependency libraries here as well, libnss_* wants ld-linux.so.2 (or its 64 bit equivalent) libc, libnsl, libresolv, you can check library or program dependencies with ldd command, copy all dependent libs (except linux-gate) to chroot /lib(64) folder
for correctness of dynamically linked programs and charset translations via iconv() you will need locales and gconv modules, /usr/lib/locale and /usr/lib/gconv
/usr/bin and /bin:
to call external programs /bin/sh is required. I prefer to use statically linked dash.
for mail (see php sendmail_path setting) sendmail is necessary, i suggest a replacement - acme mini_sendmail,
it will relay all accepted mail to localhost MTA (main one), make sure relaying from localhost is permitted.
another alternatives are - ssmtp and msmtp (dont compile them statically, they wont work fine, especially with SSL)
even other alternative is to specify mail (SMTP) server settings for your PHP application and dont use any wrappers or external programs.
For imagemagick, i suggest compiling a minimal GraphicsMagick instead, it can only depend on libjpeg, libpng and liblcms (if you want ICC management), some applications need curl binary, i suggest to compile a minimal version as well, instead of copying lots of libraries.
Dont forget to update software inside chroot, especially if security issues been found in them.
ISSUE.. WHATEVER: PHP cannot connect to MySQL database.
There is a note: localhost for mysql means to use socket, because socket can now be located outside chroot, it wont work, use TCP, set server as 127.0.0.1
Dont forget to create /tmp with proper permissions and other required paths.
Additionally you can create symlinks to mirror non-chrooted directory structure inside chroot, this can help you to avoid some troubles )
Enjoy!
Questions?
quality writing skill
I'm really impressed with your writing skills as well as with the layout on your weblog. Is this a paid theme or did you modify it yourself? Anyway keep up the nice quality writing, it’s rare to see a nice blog like this one nowadays..
wesdf
msmtp
Hi
I try to set up the msmtp inside the chroot. When I chroot with a shell and test, it works fine, but when I try send an email with php mail() it returns false, andd doesn't send the mail. The msmtp don't get the mail. Could you help with it?
I found a solution, sorry :)
I found a solution, sorry :) http://forum.nginx.org/read.php?3,212362,212362
thats my post as well ) Glad
thats my post as well )
Glad it help'd
Post new comment