I am running FreeBSD 10.2 with a custom-compiled Apache 2.4.17 with php-fpm. The default pool ([www]
, almost a stock php-fpm setup) ran on user/group nobody
/nobody
. Apache runs on user/group daemon
/daemon
. It works fine connecting to a socket with a few different sites all running in the stock pool. They are low-priority sites using PHP for things like displaying the time.
In the long run, I want to work out some better privilege separation. I created a pool for a roundcube installation on a separate vhost owned by user rcuser
, group rcuser
(basically a regular FreeBSD shell account). By habit, I park web vhosts in /usr/vhosts/
, so this site goes to /usr/vhosts/webmail/
with the application itself stored in /usr/vhosts/webmail/htdocs/
. The whole webmail tree belongs to the user and group rcuser. Directories in this tree all have 750 and files have 640 permissions. The pool looks like this:
[rcuser]
user = rcuser
group = rcuser
listen = /var/run/php5-fpm-rcuser.sock
listen.owner = rcuser
listen.group = rcuser
listen.mode = 0666
pm = dynamic
pm.max_children = 5
pm.min_spare_servers = 1
pm.start_servers = 2
pm.max_spare_servers = 3
So that Apache could access it, I created an ACL on each file and directory giving daemon
equivalent access to /usr/vhosts/webmail/
and its subdirectories. Basically, that meant doing find /usr/vhosts/webmail/ -type d -exec setfacl -m user:daemon:rwx {} \;
and find webmail/ -type f -exec setfacl -m user:daemon:rw {} \;
Figured that would work, but it didn't work, giving me a file not found error when I tried to load Roundcube.
The next thing I tried was giving the other
permission bit read access to files and rx access to directories. That worked. Roundcube worked great, but this obviously means other users can read files in it and find sensitive information like MySQL passwords. Not really want I want.
So, the next thing I did was find /usr/vhosts/webmail/ -exec chmod o-rwx {} \;
to remove the liberal permissions but keep the original rcuser
permissions and daemon
ACLs intact. for other users and try to work out where the problem is. After some dicking around, I remembered the first pool I created runs as user nobody
and did find /usr/vhosts/webmail/ -exec -exec setfacl -m user:nobody:r-x {} \;
. That worked. For some reason, php-fpm wants user nobody
to have read and execute access in this second pool's directories.
So, ps -maux
reveals php-fpm is running this pool under the right user rcuser
. This isn't the biggest problem in the world for me, but I'm not really sure what security implications it might have when I start deploying this php-fpm setup across clients' sites. Plus, an extra and seemingly extraneous ACL to worry about is an annoyance.
Is there anything I can do to make user nobody
not need this ACL?