13

I am setting up php-fpm with chrooting enabled. Now I see that there are two options, and I want to know what the exact difference is.

The setup has:

chroot = /var/www/domains/domain.tld/
; Chdir to this directory at the start. This value must be an absolute path.
; Default Value: current directory or / when chroot
chdir = /docroot/

Why are there two different locations here, and which path is php allowed to access. Can the php website access /var/www/domains/domain.tld/, or can it only access files withing the docroot directory.

===

Maybe there is some concrete advice for me. I want to have a setup like this:

webroot location: /var/www/

domain.com/
 |---conf/
 |    |--nginx.conf
 |    |--php-fpm.conf
 |
 |---ssl/
 |---logs/
 |---session/
 |---domains/
       |---www/
       |---app/
       |---dev/

Now here the php-fpm settings would be:

chroot = /var/www/domain.com/
chdir  = /domains/www

Now the main question here is, will the application located in the www subdomain be able to access the files in dev or app. Or even the files located in session, which is the session save path, or the other folders such as ssl and logs.

Saif Bechan
  • 10,892
  • 10
  • 40
  • 63

1 Answers1

14
  • Chroot sets the 'root' directory - you cannot navigate above the root directory.
  • Chdir simply changes the starting directory - it is still possible to navigate to other directories (including those above this).
    • If you don't specify a chroot path, then the 'real' root applies - and you specify an absolute chdir.
    • If you do specify a chroot path, then you specify a path relative to the chroot'd path (which redefines the root directory).

The settings you have proposed seem quite fine.

  • The starting path would be the chroot path + the chdir path
  • The app will be able to access all files under the chroot path (unless there are other restrictions - e.g. php_openbasedir, permissions, etc) in place.

As a side note - your php-application will also have access to your nginx.conf and php-fpm.conf based on the document structure you have shown - which seems like something you may want to change (at least making the files read-only to that user).

cyberx86
  • 20,620
  • 1
  • 60
  • 80
  • I will make sure those files are safe. By the way, is there a difference between this method of chrooting and just setting the php_openbasedir ? – Saif Bechan Dec 28 '11 at 07:20
  • 1
    Yes - chroot applies at the operating system level and is much harder to bypass. open_basedir is specific to PHP, and needs to be checked in every function so exploits are more common (e.g. by running external scripts with shell_exec). There is an interesting [security note](http://www.php.net/security-note.php) on PHP's site on this matter. That is not to say that open_basedir is useless if you are using chroot - in any circumstance where something occurs outside your script, it may be handy to define a different open_basedir than your chroot path. Chroot also may offer better performance. – cyberx86 Dec 28 '11 at 07:48