Welcome! Log In Create A New Profile

Advanced

Dynamic uid/gid/chroot based on request url

Posted by Dennis Jacobfeuerborn 
Dennis Jacobfeuerborn
Dynamic uid/gid/chroot based on request url
January 05, 2010 10:44AM
Hi,
I looked at the discussion at
http://groups.google.com/group/highload-php-en/browse_thread/thread/c5d13b16f418f861
and I'm wondering if this is still considered to be added to php-fpm.
Since I'd could really use a feature like this I'd probably take a
shot at implementing it if this is welcome.
The model I'm looking at would look like this:

- There is a user "peter" with uid 500 and gid 500
- His htdocs directory is located at /home/peter/htdocs. The directory
has the uid
and gid of the user.
- There is a regular expression in the php-fpm config file that
defines the location
of these htdocs directories. In this case "/home/[a-z]+/htdocs"

- User "peter" makes a request with the path "/subdir/index.php"
- The resulting path to the script is "/home/peter/htdocs/subdir/
index.php"
- The regular expression matches the url and the resulting match is "/
home/peter/htdocs"
- php-fpm stat()'s this directory to determine uid and gid it is
supposed to run as and uses
this directory to chroot() to.

Some possible (optional?) improvements:
- After stat()'ing the directory php-fpm could also stat the script
itself and check whether
the uid and gid of both match and refuse to honor the request if
they don't. This would
deal with the case where another user manages to copy a script into
"peter"s htdocs directory.
- The chroot() regular expression could optionally be defined
separately from the
directory uid/gid regular expression.

The general idea is to have a pool of "anonymous" worker processes
that then get their identity for each request with the process
outlined above. Maybe these processe can be cached so that a process
that has acquired a uid/gid/chroot can be kept around for X seconds
and if another request with a matching url comes in during that time
the process can be reused. This could even be hooked into the adaptive-
process-spawning mechanism to manage this sort of process-caching.

Any opinions on this?
Jérôme Loyet
Re: Dynamic uid/gid/chroot based on request url
January 05, 2010 11:14AM
Hi,

I know it would be kind of useful. You have 100 different customers on
a single server and you want a single instance of FPM handles each of
them independantly (chroot, uid, gid). You want FPM to create
something like 20 process wich will be all shared between users. But
the way FPM is made, it's impossible to make.

For each process, FPM lanches N processes. Each process will handle
several requests (thousands). when a process is created, it's uid, gid
and chroot is changed DEFINITIVELY. It's not possible to changed it
after for security reasons. So if you have 100 differents customers,
you will have at least 100 differents process each of them handling
only one customer.

In apache, there is suexec which is used to secure CGI (and not
fastcgi). Because in CGI, a process handles only one request. So it's
not a problem to setuid/chroot each time as the process will die after
the request.

I think the best way to handle this is to create a worker pool of each
customer, use the dynamic process management and set the min spare to
the minimum (1).

++ Jerome

2010/1/5 Dennis Jacobfeuerborn <djacobfeuerborn@gmail.com>:
> Hi,
> I looked at the discussion at
> http://groups.google.com/group/highload-php-en/browse_thread/thread/c5d13b16f418f861
> and I'm wondering if this is still considered to be added to php-fpm.
> Since I'd could really use a feature like this I'd probably take a
> shot at implementing it if this is welcome.
> The model I'm looking at would look like this:
>
> - There is a user "peter" with uid 500 and gid 500
> - His htdocs directory is located at /home/peter/htdocs. The directory
> has the uid
>   and gid of the user.
> - There is a regular expression in the php-fpm config file that
> defines the location
>   of these htdocs directories. In this case "/home/[a-z]+/htdocs"
>
> - User "peter" makes a request with the path "/subdir/index.php"
> - The resulting path to the script is "/home/peter/htdocs/subdir/
> index.php"
> - The regular expression matches the url and the resulting match is "/
> home/peter/htdocs"
> - php-fpm stat()'s this directory to determine uid and gid it is
> supposed to run as and uses
>   this directory to chroot() to.
>
> Some possible (optional?) improvements:
> -  After stat()'ing the directory php-fpm could also stat the script
> itself and check whether
>   the uid and gid of both match and refuse to honor the request if
> they don't. This would
>   deal with the case where another user manages to copy a script into
> "peter"s htdocs directory.
> - The chroot() regular expression could optionally be defined
> separately from the
>   directory uid/gid regular expression.
>
> The general idea is to have a pool of "anonymous" worker processes
> that then get their identity for each request with the process
> outlined above. Maybe these processe can be cached so that a process
> that has acquired a uid/gid/chroot can be kept around for X seconds
> and if another request with a matching url comes in during that time
> the process can be reused. This could even be hooked into the adaptive-
> process-spawning mechanism to manage this sort of process-caching.
>
> Any opinions on this?
>
Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 210
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready