My servers run CentOS: Nginx + PHP-FPM (PHP via Fast-CGI). Every site is on its own VirtualHost.
Currently both Nginx and PHP-FPM run under root. I know this is bad practice, and there is no reason for any of the sites to have access to files outside of their own directory.
How would I go about creating jailed users and instructing nginx && php-fpm to play along accordingly?
Ok, you're using kind of a weird setup, but just in general:
First off, linux doesn't support true (bsd style) jails (unless you install openvz or vserver), but setting everything to run as a non priviledged user + chroots can very seriously improve security. Running things as a non-root user is essential, chroots are just an (arguably sizable) stumbling block for would-be attackers).
According to the php-fpm site, chrooting is supported via a configuration command. Of course, php-fpm has like, no documentation... If you poke through the source tarball you might find some documentation, or at least an example config. http://php-fpm.org/about/ says that setting the user, group, and chroot are possible. I've never used php-fpm, but it should be fairly commonsense.
To get nginx running as a non-root user, open the nginx configuration file, find the line that starts with "user" and change it to a non privileged user on the system. Create a new user with nologin as a shell or use the nobody user.
Then the process to chroot any daemon is basically as follows:
Keep in mind that any daemon which can be chrooted via the configuration file will not require this set of steps - the chrooting will be done by the program after the relevant library dependencies and configuration files have been loaded. Which makes life much simpler.
Once you've done this, in theory you should be ready to run nginx (or anything else) chrooted. In your /etc/init.d/ script for nginx, find where the nginx binary is actually run, and change it to use chroot, for example:
$DAEMON -c $CONFIGFILE
becomes
/usr/sbin/chroot /chroot/directory/here $DAEMON -c $CONFIGFILE
Then you can start nginx normally with your init.d script. *If you get an error from chroot like "chroot: cannot run command `/bin/that/actually/exists': No such file or directory" then you're missing some libraries, or something else essential. Anything that causes the binary to fail to run at all will result in that error (actually, one centos box of mine says Operation not permitted instead).
Since I don't have high enough of rep points to post a lot of links, check out www (dot) securityfocus (dot) com (slash) infocus/1694 (securing apache step by step) - it's a different http daemon, it's the same basic steps, at least as far as chrooting goes.
Also keep in mind that your file permissions in the chroot folder need to be attended to - basically as long as the user that nginx runs as can read/deal with your files in the chroot, everything will be fine.
Lastly, as an example of what type things are required in a chroot environment, here's a random list of files from an openwall box that's running a number of things chrooted. I'm using mysql as an example:
An example of the setup for a daemon that can be chrooted via it's configuration file is maradns:
As you can see, maradns did not require much to get it chrooted (actually it just required "chroot_dir = "/chroot/maradns" in the /etc/mararc file.
Anyway, this has been a long and extremely rambling post aimed towards software slightly different from that which you are using, however I hope this information is still useful.
nginx needs root to bind to port 80 as master process. Its worker processes then run at different user (based on configuration).
To make chrooted nginx and php-fpm play nice is not that difficult - just make sure nginx has a way to access php-fpm (using tcp is easiest) and make sure it passes correct path to php-fpm (relative to chrooted php-fpm, of course).
Additional security tips is to set file permissions properly. Here's how I did it:
condition:
permissions:
In short:
Finer permission can be given but this one should be easy enough and won't break anything.