php-fpm _and_ open_basedir = Necessary?
Martin "eto" Misuth
eto.freebsd at ethome.sk
Wed May 4 18:13:43 UTC 2016
On Wed, 27 Apr 2016 15:12:33 +0200
Andy Wodfer <wodfer at gmail.com> wrote:
> Now I wonder - Is open_basedir even necessary when I run php with php-fpm
> pools with their own users. From what I understand php-fpm does just this
> (jail) the daemon/process to its specified virtualhost/user homedir (hope
> this came out correctly). ?
As far as I understand it, open_basedir is "poor mans jailing" courtesy of php.
It's intended to solve path traversal problems in mass hosting configurations
usual for ISPs (using virtual hosts), eg cross domain script read/write.
Instead of relying on higher/lower layer (depending on your pov) of isolation
provided by os, php runtime with open_basedir configured, changes
behaviour of most php's IO related functions to prevent unintended
directory traversal. Eg it "locks" php's IO (php userland fileops,
include/require) into specific subtrees.
Ofc this has no effect on anything spawned by php's system() call or on
backticks operators, and I don't remember even if all IO functions in php
runtime are open_basedir capable. Some consider it has dubious value, others
Also remember that open_basedir "jails" only scripts and their IO, actual
runtime has normal access capabilities and it has nothing to do with php-fpm
Depending on how you have setup your php-fpm instances (chroot or jail, jail,
jail + chroot, fpm-pool per jail, custom users) it might be turned off even.
More information about the freebsd-questions