Hi,
Chroot is pretty straight forward in php, php takes care of make everything
transparent and available inside chroot without having to place a file for
everything as you have to with an usual chroot.
Anyway some are not straight forward, you should use ldd command to see all
required libraries for a given binary that php does not automagically allow
you to use inside chroot.
In my case the worst was allow outgoing mail from chroots, ended up setting
it up a wrapper that looks like sendmail for php and chrooted users but in
fact connects to localhost:25 to the real server for mail sending.
My current chroot path base is this:
../lib
../lib/libbz2.so.1.0
../lib/libnss_nis.so.2
../lib/libnsl.so.1
../lib/libm.so.6
../lib/libcrypt.so.1
../lib/libnss_dns.so.2
../lib/libc.so.6
../lib/libdl.so.2
../lib/libnss_files.so.2
../lib/libnss_compat.so.2
../lib/libcom_err.so.2
../lib/libpthread.so.0
../lib/libkeyutils.so.1
../lib/librt.so.1
../lib/libresolv.so.2
../lib64
../lib64/ld-linux-x86-64.so.2
../etc
../etc/hosts
../etc/email-addresses
../etc/resolv.conf
../etc/nsswitch.conf
../etc/ld.so.cache
../tmp
../var
../var/log
../var/run
../var/run/apache2
../usr
../usr/lib
../usr/lib/libkrb5support.so.0
../usr/lib/libz.so.1
../usr/lib/libkrb5.so.3
../usr/lib/libcrypto.so.0.9.8
../usr/lib/libssl.so.0.9.8
../usr/lib/libqdbm.so.14
../usr/lib/libxml2.so.2
../usr/lib/libonig.so.2
../usr/lib/libk5crypto.so.3
../usr/lib/libdb-4.8.so
../usr/lib/libgssapi_krb5.so.2
../usr/sbin
../usr/sbin/sendmail
That's all
Hope it helps
Cheers
On Thu, Aug 9, 2012 at 5:36 AM, Eugene Zheganin <zheganin@gmail.com> wrote:
> I have a working php-fpm chroot on Solaris
> I took me almost nothing to build it. First of all, I started with just a
> home directory of the user the php-fpm is launched under. The daemon was
> complaining about some things, and I've created those directories. If I
> remember correctly, it was only the /tmp.
>
> The thing is, this used need the ftp access, and the ftpd on Solaris
> doesn't have the 'ftpchroot' feature, instead, it makes a full chroot to
> the user home directory, so I used the ftpconfig to create all of the
> needed files for ftpd. So now I have some /usr/bin, /lib and stuff, but I'm
> pretty sure php-fpm needs way less than that.
>
>
> On Wed, Aug 8, 2012 at 8:21 PM, Rainer Duffner <rainer@ultra-secure.de>wrote:
>
>> Am Wed, 8 Aug 2012 09:06:32 -0500
>> schrieb Vid Luther <vid@zippykid.com>:
>>
>> > Does anyone have a base set of files that are needed to get the chroot
>> > directive for php-fpm to work properly?
>> >
>> > At first I had issues with the timezone, and I had to
>> > copy /etc/localtime and /usr/share/zoneinfo into the chrooted
>> > directory.
>> >
>> > Now, I'm having trouble resolving dns, I've tried
>> > the /etc/resolve.conf, /lib64/libnss_* files.. but I'm still having
>> > issues.
>> >
>> > I can't be the first person to run into these issues, so I've googled
>> > around, and a lot of the answers have been people either giving up on
>> > chroot, or talking about the timezone issue.
>> >
>> > I'd love to find an authoritative /complete jail how to, if anyone
>> > has seen one.
>>
>>
>>
>> On FreeBSD, you don't copy, you nullfs_mount.
>>
>> Don't know about Linux. I assume, it also has some sort of nullfs_mount.
>>
>> And you also need at least /dev/random, /dev/urandom, /dev/null
>> and /dev/zero.
>>
>>
>
--
Guzmán Brasó Núñez
Web: http://www.guruhub.com.uy
Mobile: +598 98 674020