I decided to reinstall my box's PHP and Apache today to give FPM a go, never used it before and wanted to do some performance tests as I've heard it is a lot faster. Right after compiling and installing PHP with FPM support, of course, the first thing was to look at the configuration and I found that it is by default set to run under nobody / nobody. The problem is I have quite a few virtual servers set up and their files' access is limited to the apache / apache user and group. So here are a few questions that come to my mind:
- Why is PHP-FPM run by default under nobody / nobody ?
- Can I change this?
- Should I change it?
- Is it considered a security risk to run PHP-FPM and Apache under the same user/group? If so, why?
- What other risks/considerations should I bare in mind about running under different user and under the same user as Apache?
Note: I am using PHP 5.6.16 and Apache 2.4.16 if it matters.
For security reasons you should run each PHP-FPM pool in it's own UID. In case of security issue in one of your php sites, it will not propagate to other websites content.
You must only give to apache right to serve static content (read-only)