4

I am trying to setup a site inside of a PHP-FPM chroot. My paths are as follows:

chroot = /var/www/
chdir = www/

The chroot works just fine without chdir. But when I add chdir I get this error on php-fpm startup:

ERROR: [pool www] the chdir path '/usr/www/' within the chroot path '/var/www/' ('/var/www///usr/www/') does not exist or is not a directory

Anybody know why it would append /usr/ to the chdir path? Is there a way to remove it from that path?

Also, if I change the chdir path to /www/, I have to browse to http://localhost/www/filename.php to see my file. Isn't the point of chdir to make that unnecessary?

nwalke
  • 643
  • 2
  • 12
  • 31

2 Answers2

1

Have you actually prepared a proper chroot for PHP?

Simply setting an arbitrary directory is not enough - you actually need to build the chroot and ensure it includes all necessary libraries, devices and binaries.

Otherwise, basic things like DNS resolution will fail to work and you'll get random errors, hangs or app segfaults. It sounds like you are mistaking the simplicity of open_basedir with that of a chroot.

As a start, this script, once customized, should give you a basis for a chroot.

http://www.fuschlberger.net/programs/ssh-scp-sftp-chroot-jail/make_chroot_jail.sh

But realistically, if you don't have much experience with chroots ...

  1. It may not be any more secure than normal if incorrectly set up
  2. It may be far more insecure than normal and could allow root escalation if incorrectly set up
  3. You could end up with random issues, that will plague your application over time all caused by a badly built chroot

I would guess security is your goal, but you're very likely to end up with the exact opposite.

Ben Lessani
  • 5,174
  • 16
  • 37
  • I don't know if you're familiar with PHP-FPM's chroot option or not, but it's not a REAL chroot in the normal meaning of chroot. The chroot under PHP-FPM just specifies that PHP cannot break out of that folder. http://serverfault.com/questions/344538/php-fpms-chroot-and-chdir-directory – nwalke Sep 20 '12 at 21:45
  • I'm very familiar with it (we are a web hosting firm) that owns and manages hundreds of servers all running php-fpm. Its still a chroot, and it still requires everything that a normal chroot requires. That includes libraries, binaries and devices. Sure, on the surface it will appear to work, but you'll soon notice DNS won't resolve, encoding types can't be converted, SSL extensions don't work as they should, email isn't sent, MySQL connections have issues etc. – Ben Lessani Sep 20 '12 at 21:50
  • And I'm prepared to deal with all of those issues as they come. But your answer does not answer my question. If you have hundreds of servers, I'd much rather hear your experience rather than being told I'm doing a bad thing by looking into this. My question is specifically about the chdir directive. Your answer does not address that unless you're saying chdir does not work because the chroot has been setup improperly. – nwalke Sep 20 '12 at 21:56
  • **Have you actually prepared a proper chroot for PHP?** That's your answer. You already are dealing with issues as they come, this is your first. I also gave a thorough explanation as to why you should question doing what you are doing, to better guide you into making an appropriate decision. I then proceeded to provide a link that will give you a starter into preparing a chroot. Since every chroot is different and so are their purposes, there is no definitive guide for you to follow. You add ***what you need*** to the chroot, no more, and only you know what you need. – Ben Lessani Sep 20 '12 at 22:01
  • That's not an answer. That's a question. I asked a specific question about the chdir directive under FPM. If you have knowledge about that, I'd love to hear it. – nwalke Sep 20 '12 at 22:02
  • Sonassi, I'm curious how you got mail() working. I'm having issues getting mini_sendmail to work.. – Vid Luther Sep 21 '12 at 18:36
  • Our whole hosting infrastructure, from shared hosting to multi machine clustered hosting all uses the same chroot configuration. We made a custom chroot build script using the one referenced above as a basis. We're at revision 374 currently, so it should give you an idea of the time and effort it takes to build a secure, fully-featured chroot purely for PHP apps. Try using ssmtp rather than mini send mail. – Ben Lessani Sep 21 '12 at 20:48
1

Got help from phpfreaks IRC last night. It was an issue on the Apache side that I needed it to send the "/www" to PHP-FPM.

nwalke
  • 643
  • 2
  • 12
  • 31