Anonymous User
What should the file permissions be for each php-fpm pool
November 04, 2012 05:31PM
I am looking for the best/most secure way of hosting an application for multiple clients on the same machine. Right now the number of clients is only 5, but in the future it may increase to hundreds. I was thinking that the best way is to create a php-fpm pool for each client, and then an associated user as well. So, for each new client, I create a linux user `php-username-here`, and its own php-fpm pool which the worker type set to on-demand.

My question is, even though I will chown -R php-username-here:php-username-here /their/app/directory, and the permissions will be 0755, can't the world still read their php files, and most importantly configuration settings such as MySQL credentials, since the permissions are world readable? Do I need to chmod -R 750 /their/app/directory?

Basically, what should the permission be on files?
Re: What should the file permissions be for each php-fpm pool
May 05, 2013 04:29PM
As each virtual host uses its own php-fpm pool, the following is possible:

php-fpm.conf:

[php-username1]
user php-username1;
group www;

.....

[php-username2]
user php-username2;
group www;

.....

Then your php-fpm init script should start php-fpm with umask 0077. It means that php-fpm will create files owned by user defined in corresponding php-fpm pool, and new files will have 600 permissions (folders will have 700 permissions). It means that only appropriate php-username* process will be able to write to files in the corresponding pool/virtual host document tree.

Then suppose your users use FTP service to upload/change/delete files and folders in their document root (virtual host document root). Similarly, you should configure default 0077 umask in your FTP server, so that new files created by FTP service will use the same permissions and the same owner/group as the files created by the PHP-FPM process.

Then all your web users will not be able to access anything else outside their document root, unless permissions are given specifically to allow access. "open_basedir" setting per php-fpm pool or jailed root environment may restrict them even further, so they truly cannot access anything beyond their document root level.

Hope this helps,

Andrejs
Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 108
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready