Hello,

I have 2 questions :
1-
I want to host 3 different user sites on my server. I am using php
v5.3.1 and nginx v0.8.32 on my server.
I have used php-fpm to run each virtual host with his own user
(<section name="pool">) and his own gateway ( 127.0.0.1:900x ).
Everything is good but only problem is this fact that when I use chroot
() in php-fpm to restrict user access, It does not work. In joomla, It
says that can not connect to database.but phpinfo() works.
If I do not use chroot, then other users can upload a shell and access
whole system ! ( tested and it really works )
What is the best solution to restrict user access ?
example :
group : site1
user : site1
home : /home/site1.com/public_html

2-
If I change the max_children of each pool in php-fpm.conf to 1 , does
it affect to site speed?
I found that cPanel just has 1 process per user and when the user's
site has no visitor, the process of the user does not start. When the
site recieve a visitor, the user's process would start.
But in php-fpm, when I start the php-fpm, all pools start with his own
users and processes.
?!

Thank you!

I believe fpm and chroot practices are still a work in progress.

There has been some talk on the matter and would urge users to do a
quick archive search.

-Jason

On Jan 28, 2010, at 12:34 AM, Mostafa Ghadamyari <m.ghadam@gmail.com>
wrote:

> Hello,
>
> I have 2 questions :
> 1-
> I want to host 3 different user sites on my server. I am using php
> v5.3.1 and nginx v0.8.32 on my server.
> I have used php-fpm to run each virtual host with his own user
> (<section name="pool">) and his own gateway ( 127.0.0.1:900x ).
> Everything is good but only problem is this fact that when I use
> chroot
> () in php-fpm to restrict user access, It does not work. In joomla, It
> says that can not connect to database.but phpinfo() works.
> If I do not use chroot, then other users can upload a shell and access
> whole system ! ( tested and it really works )
> What is the best solution to restrict user access ?
> example :
> group : site1
> user : site1
> home : /home/site1.com/public_html
>
> 2-
> If I change the max_children of each pool in php-fpm.conf to 1 , does
> it affect to site speed?
> I found that cPanel just has 1 process per user and when the user's
> site has no visitor, the process of the user does not start. When the
> site recieve a visitor, the user's process would start.
> But in php-fpm, when I start the php-fpm, all pools start with his own
> users and processes.
> ?!
>
> Thank you!

fpm and chroot works great. You have to understand how it works and tune
your configuration this way.

2010/1/28 Jason Giedymin <jason.giedymin@gmail.com>

> I believe fpm and chroot practices are still a work in progress.
>
> There has been some talk on the matter and would urge users to do a quick
> archive search.
>
> -Jason
>
> On Jan 28, 2010, at 12:34 AM, Mostafa Ghadamyari <m.ghadam@gmail.com>
> wrote:
>
> Hello,
>
> I have 2 questions :
> 1-
> I want to host 3 different user sites on my server. I am using php
> v5.3.1 and nginx v0.8.32 on my server.
> I have used php-fpm to run each virtual host with his own user
> (<section name="pool">) and his own gateway ( 127.0.0.1:900x ).
> Everything is good but only problem is this fact that when I use chroot
> () in php-fpm to restrict user access, It does not work. In joomla, It
> says that can not connect to database.but phpinfo() works.
> If I do not use chroot, then other users can upload a shell and access
> whole system ! ( tested and it really works )
> What is the best solution to restrict user access ?
> example :
> group : site1
> user : site1
> home : /home/site1.com/public_html
>
> 2-
> If I change the max_children of each pool in php-fpm.conf to 1 , does
> it affect to site speed?
> I found that cPanel just has 1 process per user and when the user's
> site has no visitor, the process of the user does not start. When the
> site recieve a visitor, the user's process would start.
> But in php-fpm, when I start the php-fpm, all pools start with his own
> users and processes.
> ?!
>
> Thank you!
>
>

Hello,

Thank you for your hopeful answer.
What configuration should I do?
I have do the following ones but do not work for me :
1- in /etc/php-fpm.conf change chroot value to /home/site.com
2- in /etc/nginx/nginx.conf -> changed the SCRIPT_FILE_NAME value
from /home/site.com$script_name to $script_name
As I said, phpinfo() worked in this case but I got a "Cannot Connect
To Database" Error.
Do you mean copy binary files and libs to chrooted folder ?!
Please Explain if it is possible.

Thank you very much!

On Jan 28, 5:10 pm, Jérôme Loyet <m...@fatbsd.com> wrote:
> fpm and chroot works great. You have to understand how it works and tune
> your configuration this way.
>
> 2010/1/28 Jason Giedymin <jason.giedy...@gmail.com>
>
> > I believe fpm and chroot practices are still a work in progress.
>
> > There has been some talk on the matter and would urge users to do a quick
> > archive search.
>
> > -Jason
>
> > On Jan 28, 2010, at 12:34 AM, Mostafa Ghadamyari <m.gha...@gmail.com>
> > wrote:
>
> > Hello,
>
> > I have 2 questions :
> > 1-
> > I want to host 3 different user sites on my server. I am using php
> > v5.3.1 and nginx v0.8.32 on my server.
> > I have used php-fpm to run each virtual host with his own user
> > (<section name="pool">) and his own gateway ( 127.0.0.1:900x ).
> > Everything is good but only problem is this fact that when I use chroot
> > () in php-fpm to restrict user access, It does not work. In joomla, It
> > says that can not connect to database.but phpinfo() works.
> > If I do not use chroot, then other users can upload a shell and access
> > whole system ! ( tested and it really works )
> > What is the best solution to restrict user access ?
> > example :
> > group : site1
> > user : site1
> > home : /home/site1.com/public_html
>
> > 2-
> > If I change the max_children of each pool in php-fpm.conf to 1 , does
> > it affect to site speed?
> > I found that cPanel just has 1 process per user and when the user's
> > site has no visitor, the process of the user does not start. When the
> > site recieve a visitor, the user's process would start.
> > But in php-fpm, when I start the php-fpm, all pools start with his own
> > users and processes.
> > ?!
>
> > Thank you!
>
>

2010/1/28 Mostafa Ghadamyari <m.ghadam@gmail.com>:
> Hello,
>
> Thank you for your hopeful answer.
> What configuration should I do?
> I have do the following ones but do not work for me :
> 1- in /etc/php-fpm.conf change chroot value to /home/site.com
> 2- in /etc/nginx/nginx.conf -> changed the SCRIPT_FILE_NAME value
> from /home/site.com$script_name to $script_name
> As I said, phpinfo() worked in this case but I got a "Cannot Connect
> To Database" Error.
> Do you mean copy binary files and libs to chrooted folder ?!
> Please Explain if it is possible.

Let say you have a site in /home/site1.
in nginx.conf for the site1 pool you set the chroot directive to /home/site1

SCRIPT_FILE_NAME was set to /home/site1$script_name, now change it to
/script_name. This variable is used by FPM. As every processing fpm
processes are chrooted, they don't know /home/site1. For them it's /.

After I don't know how your script work. But if it connects to the DB
through a unix socket, you have to change the path. And the unix
socket must be present in the chroot environment.

It's also possible, that the resolver is not working as there's no
/etc/resolv.conf in the jail. If you're using a tcp DB connection, try
to use the IP adresse rather than the name.

chroot is good for security but it could be hard to use (IP
resolution, external softwares, email, ...). That's why I said that
you have to understand perfectly how chroot works to understand your
problem and fix it.

++ Jerome
>
> Thank you very much!
>
> On Jan 28, 5:10 pm, Jérôme Loyet <m...@fatbsd.com> wrote:
>> fpm and chroot works great. You have to understand how it works and tune
>> your configuration this way.
>>
>> 2010/1/28 Jason Giedymin <jason.giedy...@gmail.com>
>>
>> > I believe fpm and chroot practices are still a work in progress.
>>
>> > There has been some talk on the matter and would urge users to do a quick
>> > archive search.
>>
>> > -Jason
>>
>> > On Jan 28, 2010, at 12:34 AM, Mostafa Ghadamyari <m.gha...@gmail.com>
>> > wrote:
>>
>> > Hello,
>>
>> > I have 2 questions :
>> > 1-
>> > I want to host 3 different user sites on my server. I am using php
>> > v5.3.1 and nginx v0.8.32 on my server.
>> > I have used php-fpm to run each virtual host with his own user
>> > (<section name="pool">) and his own gateway ( 127.0.0.1:900x ).
>> > Everything is good but only problem is this fact that when I use chroot
>> > () in php-fpm to restrict user access, It does not work. In joomla, It
>> > says that can not connect to database.but phpinfo() works.
>> > If I do not use chroot, then other users can upload a shell and access
>> > whole system ! ( tested and it really works )
>> > What is the best solution to restrict user access ?
>> > example :
>> > group : site1
>> > user : site1
>> > home : /home/site1.com/public_html
>>
>> > 2-
>> > If I change the max_children of each pool in php-fpm.conf to 1 , does
>> > it affect to site speed?
>> > I found that cPanel just has 1 process per user and when the user's
>> > site has no visitor, the process of the user does not start. When the
>> > site recieve a visitor, the user's process would start.
>> > But in php-fpm, when I start the php-fpm, all pools start with his own
>> > users and processes.
>> > ?!
>>
>> > Thank you!
>>
>>
>