Welcome! Log In Create A New Profile


FPM and AppArmor/change_hat

Posted by Pantelis Koukousoulas 
Pantelis Koukousoulas
FPM and AppArmor/change_hat
July 13, 2012 05:04PM

Thanks for the cool process manager!

I want to use FPM in setups with several pools where processes in each
pool should only have access to a specific folder/hierarchy
(e.g., pool user1 will have user "user1" and access to
/var/www/vhosts/user1.com and pool user2 to
/var/www/vhosts/user2.com but they should not be able to access
each other's dir, or even to know it exists).

Pne of the ways to do this in Linux, avoiding some of the headaches of
chroot (e.g., binaries/libs that need to be inside the chroot and updating
those) is apparmor: http://wiki.apparmor.net

Usually apparmor has profiles per executable path (i.e., just one profile
for php5-fpm) but there is also the ability to have "hats" / subprofiles
which would work nicely for the php case, I think.

There is already a module for PAM (sshd / su etc use it transparently
this way) as well as modules for apache (useful for mod_php) and

I would like to have this functionality in php-fpm as well.

Is this feature already discussed / planned / implemented by someone
somewhere etc?

If not, I haven't looked hard into how it could be implemented yet
but it seems that one way would be to add PAM support to FPM
and start a PAM session after doing setuid/setgid etc when a new
pool is created.

Then admins could add apparmor support as well transparently
without FPM having any direct dependency to apparmor (which
I assume would be undesirable).

Any opinions?

Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 141
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready