0

I am running a small apache2 web server providing different independent PHP web applications, like nextcloud, personal PHP projects, etc. I have several instances of PHP-fpm running (different PHP versions and pools).

I recently decided to switch from the mpm_prefork apache2 module to mpm_event in order to support HTTP2. Up until now I ran different vhosts under different users to prevent mutual access under different vhosts. However, this is no longer possible with mpm_event.

What is possible now, is to run each PHP-fpm pool under a different user (as pointed out in this Stack overflow question). However, in order for this to work the php-fpm socket has to be accessible by the www-data user:

srw-rw---- 1 www-data www-data 0 10. Okt 12:31 /var/run/php/php8.1-fpm-cloud.sock

In my understanding this means, that a process running under www-data can just connect to this socket to execute code under the cloud user, which I created to isolate vhosts from each other. That would mean, that this configuration does not provide any security benefit compared to a single user solution.

Summarized my question is:

  • does this configuration provide any security benefit? Am I missing something?
  • is there a better way to isolate vhosts from each other with mpm_event?
  • could a proper configuration of PHP open_basedir prevent this problem? Is open_basedir really secure for this purpose?

Thank you in advance!

Improve this question

1 Answer 1

Reset to default
0

That would mean, that this configuration does not provide any security benefit compared to a single user solution.

No.

The FPM socket is not the only asset on the machine you might not want to share. Your webserver uid is probably www-data with default group www-data. The socket is rw for the group as well as the user.

You can get create php users for each php-pool (does not have to be aligned with vhosts) and set them up with www-data as a SUPPLEMENTARY group. As long as you don't set additional files with the group ownership www-data or grant permissiotns to others, the PHP scripts they invoke (or other binaries) won't be able to access each other's files.

Improve this answer
2
  • ok. Thanks for your response. But can't other php scripts connect to the fpm socket to switch to another user? Because by connecting to the socket the user is changed to the socket user. Commented Oct 13, 2024 at 13:49
  • I have no idea what you are saying. There is no "switch user". "Because by connecting to the socket the user is changed to the socket user" - please edit your question adding your evidence for this. Commented Oct 14, 2024 at 8:49

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.