Home / server / Questions / 344822
Accepted
Saif Bechan
Asked: 2011-12-29 13:13:23 +0800 CST

Implications that come with chrooting php-fpm

  • 772

I am creating a production server that will run nginx with php-fpm. I want to have a good mix between securing the server, and still having good quick workflow.

Now one thing that always secures the system is chrooting. Now I have read a lot about this, and chrooting nginx is pretty complicated.

It is said that a good way is using the chroot function that php-fpm has build in. I read several guides, that explain how to set this up, but I haven't read about the implications this brings. I even read that there are none.

Well, the first problem I got was something time related. Solution was to copy /etc/localtime and the folder /usr/share/zoneinfo into the chroot directory.

NONE of the guides tell you this, and it is the first error you notice.

Now I am having trouble with file_get_contents, I get the following error:

failed to open stream: php_network_getaddresses: getaddrinfo failed: Name or service not known

I guess the solution will be to add more files into the chroot. I really don't want to do this for every website I develop.

Question

Now is this the case with chrooting, even in php-fpm, or am I doing something wrong. Is there something I have to enable to get everything working, or should I move everything into the directory.

chroot php-fpm

2 Answers

  1. Best Answer

    Yes, you'll need a basic functioning filesystem within the chroot directory. And no, you shouldn't move (or link) everything - that'll pretty well defeat the entire purpose of chrooting.

    Essentially, the resources that need to be present within the chroot are the ones that the server will need to access during runtime - any dynamically loaded libraries, log directories, and support structures needed for anything the server's doing.

    In this case, you're missing basic name resolution configuration - /etc/resolv.conf, /etc/nsswitch.conf, and nss/dns/resolv related stuff from /lib would be a good start.

    • 4

  2. Copying resolving-libs and /etc-files isn't really necessary, if you can run nscd on your server.

    The basic idea is to bind-mount nscd's Unix domain socket (usually /var/run/nscd/socket) into the chroot. (e)glibc will try contacting it for resolving user names, hostnames etc. Only if nscd isn't running, (e)glibc resorts to resolving things by itself.

    More details about this and other things you may need to fix when running PHP in a chroot can be found in my blog post:

    • 1