Skip to main content

Running PHP-FPM as a different user

Comments

6 comments

  • cPanelMichael
    Hello @StuB, Changing the username or group name PHP-FPM runs as is unsupported, however I might be able to point you in the right direction for an alternative. Can you share a specific scenario or use-case you're attempting to address? Thank you.
    0
  • StuB
    Hi Michael, Thanks for the reply and I appreciate it not a supported feature. The issue is the server hosts a few different PHP based websites that we have a good understanding of the code that runs on them however we do run third party code such as Drupal and Wordpress. As you know these systems come with security ssues from time to time which we patch asap but looking to see if we enhance their isolation and security a little more. Using PHP-FPM we run PHP as the account owner which restricts any issues to that account which is good however I'd like to be able to restrict PHP's write access to files owned by the account to a few folders to stop any rogue scripts from creating or changing files. Currently as PHP runs as the account owner then it always has the ability to make these changes as it owns the files. When run as DSO, PHP only has group access to the files so it can be stopped from changes or creating files but doing this runs the risk of cross account problems if a site is exploited which is something that I want to avoid. There are certain areas where we have to allow PHP read/write access to the files so we can't just disable all file functions and we also need access to remote locations using curl. I was hoping it would be possible to have the best of both worlds by creating a separate web user for each account for PHP to run as and only give it group permissions to the files. For example account: test.com user: test web-user: www-test I noticed in the PHP-FPM pool configurations that there are settings for user, group, listen_owner etc and, after adding a www-test user and adding it to the test group, I have had a play via both the yaml files and the conf file directly but I've not managed to get it to run as www-test so clearly I'm missing something. The closest I managed was to have PHP-FPM restart correctly but when serving PHP files it would report an error of 'File not found'. I would hope that something like the above could potentially significantly improve security of a multi use server with minimal overhead compared to a normal PHP-FPM configuration. Any help or advice you can give or if I should be going about this in a different way would be greatly appreciated.
    0
  • StuB
    Hi @cPanelMichael Thanks for the reply and if I get nowhere and need to take it further then I'll look at your suggested companies. As for the idea of a separate subdomain for each script to be isolated the basic principle is good and and something I'll bear in mind but for this use I think there are too many scripts to handle this in a sensible way. Thanks again.
    0
  • backblaze
    this is very strange to me that cPanel devs dont understand how security must be adjusted for php-fpm. they still have single php-fpm master config that pulls all the users pools. no separate php-fpm.conf file for each account. what to say about other issues like above... php-fpm must be configured as different user, with "setfacl" finetuning. so we allow php-fpm to access everything but write only into specific folders. (chmod/chown sucks) i was testing php-fpm implementation in the ealry stages, but looks like all my messages were ignored, and no one ever replied. this is only few lines of code in your account management scripts to set everything. while every cpanel addon/plugin with php-fpm+nginx works as expected, but only cpanel devs dont know how to do it. the same issues you have with nginx. hm
    0
  • cPanelMichael
    Hello @backblaze, I recommend submitting your feedback on our feature request property:
    0

Please sign in to leave a comment.