Brandon's questions

Currently I am running nginx 1.0.11 and PHP-FPM. Each site has it's own user/group and has their home directory in /srv/www/.... I have the PHP-FPM pools set to run as the sites' user and group on separate ports (9001 for site1, 9002 for site2...). Does this do anything to help with security?

nginx is running as www-data:www-data. Currently if I have a PHP script in site1 (/srv/www/site1.com/www/public_html/script.php)I can do this include $_SERVER['DOCUMENT_ROOT'] . "/../../../site2.com/www/public_html/index.html"; and read that site's files.

How can I prevent this? I looked into chroot but each site's home directory has symlinks to /dotfiles that I need to keep and I assume nginx will need to access logs at /var/logs/nginx/...

For managing sites on my web server, I create a new user per site. They get a home directory where their public folder is located. From time to time I may be logging in as a site and would like to have my config/dotfiles available to work with. This is working fine with my single admin user, I am able to pull my git repo of dotfiles and update when there is a change. I added my dotfiles repo to /etc/skel so it gets added to every new user. This is becoming a pain because now I can't do a git pull because my public key isn't correct or something. Also, it will be a pain to go from site to site and update the repo. Is there a good way to handle this? Is there somewhere I can just symlink it to and have git access and write access with any account? I am the only user so far that will be logging in with a shell.

I have a keystore on one machine (at /root/.keystore) and I want to move it to another machine at the same location. Currently, the second machine doesn't have a keystore at /root/.keystore, is there a way I can export then create/import? Or do I need to create an empty one first?