Date: Wed, 4 May 2016 19:42:28 +0200 From: "Martin \"eto\" Misuth" <eto.freebsd@ethome.sk > To: freebsd-questions@freebsd.org Subject: Re: php-fpm _and_ open_basedir = Necessary? Message-ID: <20160504194228.52047ab6@eto-mona.office.smartweb.sk> In-Reply-To: <CABgB0xRJyinSbh9EeFg%2BjyuhY_k-FEKNphDuQd11jZJpqM8JwA@mail.gmail.com> References: <CABgB0xRJyinSbh9EeFg%2BjyuhY_k-FEKNphDuQd11jZJpqM8JwA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 27 Apr 2016 15:12:33 +0200 Andy Wodfer <wodfer@gmail.com> wrote: > Now I wonder - Is open_basedir even necessary when I run php with php-fpm > pools with their own users. From what I understand php-fpm does just this > (jail) the daemon/process to its specified virtualhost/user homedir (hope > this came out correctly). ? As far as I understand it, open_basedir is "poor mans jailing" courtesy of php. It's intended to solve path traversal problems in mass hosting configurations usual for ISPs (using virtual hosts), eg cross domain script read/write. Instead of relying on higher/lower layer (depending on your pov) of isolation provided by os, php runtime with open_basedir configured, changes behaviour of most php's IO related functions to prevent unintended directory traversal. Eg it "locks" php's IO (php userland fileops, include/require) into specific subtrees. Ofc this has no effect on anything spawned by php's system() call or on backticks operators, and I don't remember even if all IO functions in php runtime are open_basedir capable. Some consider it has dubious value, others think differently. Also remember that open_basedir "jails" only scripts and their IO, actual runtime has normal access capabilities and it has nothing to do with php-fpm chroot. Depending on how you have setup your php-fpm instances (chroot or jail, jail, jail + chroot, fpm-pool per jail, custom users) it might be turned off even. eto
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20160504194228.52047ab6>