Suexec-like behaviour?
Posted by Makeable
|
Makeable
Suexec-like behaviour? March 31, 2009 12:07AM |
|
Re: Suexec-like behaviour? March 31, 2009 11:49AM |
Registered: 15 years ago Posts: 833 |
On Mon, Mar 30, 2009 at 9:07 PM, Makeable <matt@makeable.co.uk> wrote:
>
> Hello all,
>
> Could someone please point me in the direction of some documentation
> of how I can configure the suexec and chroot behaviour of the workers.
> Is it dynamic based upon the location and ownership of the document
> root or must I manually configure pools for each user?
It is defined on how you decide.
The great thing about php-fpm is you can make different pools per user
(which is what I do) and there's no need for a 'suexec' type thing.
You just give them each a tcp port (I usually take their user id and
add 10000, so uid 1001 = port 11001) or you can give them a socket as
well.
I don't think there is a chroot option. But you can add additional
php.ini directives into the php-fpm.conf file for each pool which may
help, or also since the PHP processes are running as each user, they
can only touch files and read files that they'd have access to just
like the user was in a shell. So you could change everyone's
directories to 0711, which allows direct access to files but does not
allow you to list files, things like that...
>
> Hello all,
>
> Could someone please point me in the direction of some documentation
> of how I can configure the suexec and chroot behaviour of the workers.
> Is it dynamic based upon the location and ownership of the document
> root or must I manually configure pools for each user?
It is defined on how you decide.
The great thing about php-fpm is you can make different pools per user
(which is what I do) and there's no need for a 'suexec' type thing.
You just give them each a tcp port (I usually take their user id and
add 10000, so uid 1001 = port 11001) or you can give them a socket as
well.
I don't think there is a chroot option. But you can add additional
php.ini directives into the php-fpm.conf file for each pool which may
help, or also since the PHP processes are running as each user, they
can only touch files and read files that they'd have access to just
like the user was in a shell. So you could change everyone's
directories to 0711, which allows direct access to files but does not
allow you to list files, things like that...
|
Makeable
Re: Suexec-like behaviour? April 04, 2009 05:57AM |
Thanks Michael,
We are now indeed configuring pools on a per-user basis.
As a proposal, it would be nice to allow dynamic configuration of
pools based on the passed docroot.
There could be a default setting to configure the number of workers et
al, and permissions could be based upon ownership and location of the
docroot.
I understand that this would require modifications to the mechanics of
php-fpm, and require a pool manager to be spawned as root, but the
resultant zero-configuration would certainly facilitate its usage in
large scale multi-user hosting environments, and potentially make it
user-friendly enough for adoption into the PHP core.
Any feedback on these thoughts would be appreciated.
Kind regards,
Matt
We are now indeed configuring pools on a per-user basis.
As a proposal, it would be nice to allow dynamic configuration of
pools based on the passed docroot.
There could be a default setting to configure the number of workers et
al, and permissions could be based upon ownership and location of the
docroot.
I understand that this would require modifications to the mechanics of
php-fpm, and require a pool manager to be spawned as root, but the
resultant zero-configuration would certainly facilitate its usage in
large scale multi-user hosting environments, and potentially make it
user-friendly enough for adoption into the PHP core.
Any feedback on these thoughts would be appreciated.
Kind regards,
Matt
|
Re: Suexec-like behaviour? April 04, 2009 06:27AM |
Registered: 15 years ago Posts: 833 |
On Sat, Apr 4, 2009 at 2:57 AM, Makeable <matt@makeable.co.uk> wrote:
> We are now indeed configuring pools on a per-user basis.
>
> As a proposal, it would be nice to allow dynamic configuration of
> pools based on the passed docroot.
I actually had something similar in my "ideas for a fastcgi management
app" which php-fpm wound up meeting almost all of my needs with.
You could of course just setup to automatically generate the conf file
based on your own scripting.
and Andrei has plans to get it into the php core when it is feature
complete and the license is adjusted to be compatible...
> We are now indeed configuring pools on a per-user basis.
>
> As a proposal, it would be nice to allow dynamic configuration of
> pools based on the passed docroot.
I actually had something similar in my "ideas for a fastcgi management
app" which php-fpm wound up meeting almost all of my needs with.
You could of course just setup to automatically generate the conf file
based on your own scripting.
and Andrei has plans to get it into the php core when it is feature
complete and the license is adjusted to be compatible...
|
Re: Suexec-like behaviour? April 16, 2010 11:03AM |
Registered: 14 years ago Posts: 6 |
mike Wrote:
-------------------------------------------------------
> On Mon, Mar 30, 2009 at 9:07 PM, Makeable wrote:
> >
> > Hello all,
> >
> > Could someone please point me in the direction
> of some documentation
> > of how I can configure the suexec and chroot
> behaviour of the workers.
> > Is it dynamic based upon the location and
> ownership of the document
> > root or must I manually configure pools for each
> user?
>
> It is defined on how you decide.
>
> The great thing about php-fpm is you can make
> different pools per user
> (which is what I do) and there's no need for a
> 'suexec' type thing.
> You just give them each a tcp port (I usually take
> their user id and
> add 10000, so uid 1001 = port 11001) or you can
> give them a socket as
> well.
>
> I don't think there is a chroot option. But you
> can add additional
> php.ini directives into the php-fpm.conf file for
> each pool which may
> help, or also since the PHP processes are running
> as each user, they
> can only touch files and read files that they'd
> have access to just
> like the user was in a shell. So you could change
> everyone's
> directories to 0711, which allows direct access to
> files but does not
> allow you to list files, things like that...
Hi mike. Thank you for the information it helps a lot. have myself configure suexec and chroot.
"I can accept failure, everyone fails at something. But I can't accept not trying."
Editor @ [url=http://www.daily-reviews.com]Daily Reviews[/url]
-------------------------------------------------------
> On Mon, Mar 30, 2009 at 9:07 PM, Makeable wrote:
> >
> > Hello all,
> >
> > Could someone please point me in the direction
> of some documentation
> > of how I can configure the suexec and chroot
> behaviour of the workers.
> > Is it dynamic based upon the location and
> ownership of the document
> > root or must I manually configure pools for each
> user?
>
> It is defined on how you decide.
>
> The great thing about php-fpm is you can make
> different pools per user
> (which is what I do) and there's no need for a
> 'suexec' type thing.
> You just give them each a tcp port (I usually take
> their user id and
> add 10000, so uid 1001 = port 11001) or you can
> give them a socket as
> well.
>
> I don't think there is a chroot option. But you
> can add additional
> php.ini directives into the php-fpm.conf file for
> each pool which may
> help, or also since the PHP processes are running
> as each user, they
> can only touch files and read files that they'd
> have access to just
> like the user was in a shell. So you could change
> everyone's
> directories to 0711, which allows direct access to
> files but does not
> allow you to list files, things like that...
Hi mike. Thank you for the information it helps a lot. have myself configure suexec and chroot.
"I can accept failure, everyone fails at something. But I can't accept not trying."
Editor @ [url=http://www.daily-reviews.com]Daily Reviews[/url]
Sorry, only registered users may post in this forum.
Online Users
Guests:
142
Record Number of Users:
8
on April 13, 2023
Record Number of Guests:
421
on December 02, 2018
This forum is powered by Phorum.
 |
 |
 |
 |
|