Welcome! Log In Create A New Profile

Advanced

a good how to on php-fpm chroot?

Posted by vidluther 
a good how to on php-fpm chroot?
August 08, 2012 10:08AM
Does anyone have a base set of files that are needed to get the chroot
directive for php-fpm to work properly?

At first I had issues with the timezone, and I had to copy /etc/localtime
and /usr/share/zoneinfo into the chrooted directory.

Now, I'm having trouble resolving dns, I've tried the /etc/resolve.conf,
/lib64/libnss_* files.. but I'm still having issues.

I can't be the first person to run into these issues, so I've googled
around, and a lot of the answers have been people either giving up on
chroot, or talking about the timezone issue.

I'd love to find an authoritative /complete jail how to, if anyone has seen
one.
Re: a good how to on php-fpm chroot?
August 08, 2012 10:13AM
I'm having the exact same problem. I fixed the timezone issue, but I can't get dns to resolve properly. I've googled for hours, searched stackoverflow,serverfault for hours... I just can't find anything that says exactly what I need to do to fix this.

I'm running ubuntu 12.04.

Can someone please help with this? There has to be some guide that says exactly what files need to be in the chroot for dns to function.
Rainer Duffner
Re: a good how to on php-fpm chroot?
August 08, 2012 10:22AM
Am Wed, 8 Aug 2012 09:06:32 -0500
schrieb Vid Luther <vid@zippykid.com>:

> Does anyone have a base set of files that are needed to get the chroot
> directive for php-fpm to work properly?
>
> At first I had issues with the timezone, and I had to
> copy /etc/localtime and /usr/share/zoneinfo into the chrooted
> directory.
>
> Now, I'm having trouble resolving dns, I've tried
> the /etc/resolve.conf, /lib64/libnss_* files.. but I'm still having
> issues.
>
> I can't be the first person to run into these issues, so I've googled
> around, and a lot of the answers have been people either giving up on
> chroot, or talking about the timezone issue.
>
> I'd love to find an authoritative /complete jail how to, if anyone
> has seen one.



On FreeBSD, you don't copy, you nullfs_mount.

Don't know about Linux. I assume, it also has some sort of nullfs_mount.

And you also need at least /dev/random, /dev/urandom, /dev/null
and /dev/zero.
Re: a good how to on php-fpm chroot?
August 09, 2012 04:38AM
I have a working php-fpm chroot on Solaris.
I took me almost nothing to build it. First of all, I started with just a
home directory of the user the php-fpm is launched under. The daemon was
complaining about some things, and I've created those directories. If I
remember correctly, it was only the /tmp.

The thing is, this used need the ftp access, and the ftpd on Solaris
doesn't have the 'ftpchroot' feature, instead, it makes a full chroot to
the user home directory, so I used the ftpconfig to create all of the
needed files for ftpd. So now I have some /usr/bin, /lib and stuff, but I'm
pretty sure php-fpm needs way less than that.

On Wed, Aug 8, 2012 at 8:21 PM, Rainer Duffner <rainer@ultra-secure.de>wrote:

> Am Wed, 8 Aug 2012 09:06:32 -0500
> schrieb Vid Luther <vid@zippykid.com>:
>
> > Does anyone have a base set of files that are needed to get the chroot
> > directive for php-fpm to work properly?
> >
> > At first I had issues with the timezone, and I had to
> > copy /etc/localtime and /usr/share/zoneinfo into the chrooted
> > directory.
> >
> > Now, I'm having trouble resolving dns, I've tried
> > the /etc/resolve.conf, /lib64/libnss_* files.. but I'm still having
> > issues.
> >
> > I can't be the first person to run into these issues, so I've googled
> > around, and a lot of the answers have been people either giving up on
> > chroot, or talking about the timezone issue.
> >
> > I'd love to find an authoritative /complete jail how to, if anyone
> > has seen one.
>
>
>
> On FreeBSD, you don't copy, you nullfs_mount.
>
> Don't know about Linux. I assume, it also has some sort of nullfs_mount.
>
> And you also need at least /dev/random, /dev/urandom, /dev/null
> and /dev/zero.
>
>
Re: a good how to on php-fpm chroot?
August 09, 2012 10:12AM
Hi,

Chroot is pretty straight forward in php, php takes care of make everything
transparent and available inside chroot without having to place a file for
everything as you have to with an usual chroot.

Anyway some are not straight forward, you should use ldd command to see all
required libraries for a given binary that php does not automagically allow
you to use inside chroot.

In my case the worst was allow outgoing mail from chroots, ended up setting
it up a wrapper that looks like sendmail for php and chrooted users but in
fact connects to localhost:25 to the real server for mail sending.

My current chroot path base is this:
../lib
../lib/libbz2.so.1.0
../lib/libnss_nis.so.2
../lib/libnsl.so.1
../lib/libm.so.6
../lib/libcrypt.so.1
../lib/libnss_dns.so.2
../lib/libc.so.6
../lib/libdl.so.2
../lib/libnss_files.so.2
../lib/libnss_compat.so.2
../lib/libcom_err.so.2
../lib/libpthread.so.0
../lib/libkeyutils.so.1
../lib/librt.so.1
../lib/libresolv.so.2
../lib64
../lib64/ld-linux-x86-64.so.2
../etc
../etc/hosts
../etc/email-addresses
../etc/resolv.conf
../etc/nsswitch.conf
../etc/ld.so.cache
../tmp
../var
../var/log
../var/run
../var/run/apache2
../usr
../usr/lib
../usr/lib/libkrb5support.so.0
../usr/lib/libz.so.1
../usr/lib/libkrb5.so.3
../usr/lib/libcrypto.so.0.9.8
../usr/lib/libssl.so.0.9.8
../usr/lib/libqdbm.so.14
../usr/lib/libxml2.so.2
../usr/lib/libonig.so.2
../usr/lib/libk5crypto.so.3
../usr/lib/libdb-4.8.so
../usr/lib/libgssapi_krb5.so.2
../usr/sbin
../usr/sbin/sendmail

That's all

Hope it helps

Cheers



On Thu, Aug 9, 2012 at 5:36 AM, Eugene Zheganin <zheganin@gmail.com> wrote:

> I have a working php-fpm chroot on Solaris
> I took me almost nothing to build it. First of all, I started with just a
> home directory of the user the php-fpm is launched under. The daemon was
> complaining about some things, and I've created those directories. If I
> remember correctly, it was only the /tmp.
>
> The thing is, this used need the ftp access, and the ftpd on Solaris
> doesn't have the 'ftpchroot' feature, instead, it makes a full chroot to
> the user home directory, so I used the ftpconfig to create all of the
> needed files for ftpd. So now I have some /usr/bin, /lib and stuff, but I'm
> pretty sure php-fpm needs way less than that.
>
>
> On Wed, Aug 8, 2012 at 8:21 PM, Rainer Duffner <rainer@ultra-secure.de>wrote:
>
>> Am Wed, 8 Aug 2012 09:06:32 -0500
>> schrieb Vid Luther <vid@zippykid.com>:
>>
>> > Does anyone have a base set of files that are needed to get the chroot
>> > directive for php-fpm to work properly?
>> >
>> > At first I had issues with the timezone, and I had to
>> > copy /etc/localtime and /usr/share/zoneinfo into the chrooted
>> > directory.
>> >
>> > Now, I'm having trouble resolving dns, I've tried
>> > the /etc/resolve.conf, /lib64/libnss_* files.. but I'm still having
>> > issues.
>> >
>> > I can't be the first person to run into these issues, so I've googled
>> > around, and a lot of the answers have been people either giving up on
>> > chroot, or talking about the timezone issue.
>> >
>> > I'd love to find an authoritative /complete jail how to, if anyone
>> > has seen one.
>>
>>
>>
>> On FreeBSD, you don't copy, you nullfs_mount.
>>
>> Don't know about Linux. I assume, it also has some sort of nullfs_mount.
>>
>> And you also need at least /dev/random, /dev/urandom, /dev/null
>> and /dev/zero.
>>
>>
>


--
Guzmán Brasó Núñez
Web: http://www.guruhub.com.uy
Mobile: +598 98 674020
Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 240
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready