PHP-FPM chroot with chdir

Loading...

PHP-FPM chroot with chdir

I am trying to setup a site inside of a PHP-FPM chroot.  My paths are as follows:
chroot = /var/www/
chdir = www/

The chroot works just fine without chdir.  But when I add chdir I get this error on php-fpm startup:
ERROR: [pool www] the chdir path '/usr/www/' within the chroot path '/var/www/' ('/var/www///usr/www/') does not exist or is not a directory
Anybody know why it would append /usr/ to the chdir path?  Is there a way to remove it from that path?
Also, if I change the chdir path to /www/, I have to browse to http://localhost/www/filename.php to see my file.  Isn't the point of chdir to make that unnecessary?

Solutions/Answers:

Answer 1:

Have you actually prepared a proper chroot for PHP?

Simply setting an arbitrary directory is not enough – you actually need to build the chroot and ensure it includes all necessary libraries, devices and binaries.

Otherwise, basic things like DNS resolution will fail to work and you’ll get random errors, hangs or app segfaults. It sounds like you are mistaking the simplicity of open_basedir with that of a chroot.

As a start, this script, once customized, should give you a basis for a chroot.

http://www.fuschlberger.net/programs/ssh-scp-sftp-chroot-jail/make_chroot_jail.sh

But realistically, if you don’t have much experience with chroots …

  1. It may not be any more secure than normal if incorrectly set up
  2. It may be far more insecure than normal and could allow root escalation if incorrectly set up
  3. You could end up with random issues, that will plague your application over time all caused by a badly built chroot

I would guess security is your goal, but you’re very likely to end up with the exact opposite.

Answer 2:

Got help from phpfreaks IRC last night. It was an issue on the Apache side that I needed it to send the “/www” to PHP-FPM.

References

Loading...