Ubuntu Server: php-fpm running from www-data and security?

T

Timur2013-10-05 21:58:07

linux

Timur, 2013-10-05 21:58:07

Good afternoon! I want to independently raise a combat server (not out of economy, but in order to figure it out).
Dedicated server, Ubuntu Server 13.04, nginx + php-fpm bundle. Only one project will be running on the server.
I train on a virtual machine, raised the server (nginx + php bundle) according to this instruction (in short, everything is standard).
Nginx and PHP run as user and group www-data. www-data user home directory: /var/www
In /etc/passwd

www-data:x:33:33:www-data:/var/www:/bin/sh

The problem is that from under PHP the list of files and directories from the root of the entire server. And this is unpleasant, because. in the case of a vulnerability in the PHP code, all sorts of smart people can do a lot of different bad things. Please tell me how to solve my problem and prevent the user from going beyond the home directory? Or is it handled in some other way? PS I installed linux for the first time in my life 2 weeks ago, so I may not know a lot. Those who wish to send to Google without an example of a search query, please pass by scandir('/')<br>

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

K

kafeman, 2013-10-05
@kafeman

After starting the application, you can make a chroot, then the root for it will be, for example, /var/www (Google suggests that in php-fpm this can be set in the config, and then it will make this call itself). You can also configure access to individual files and directories for the www-data group.

D

Dmitry, 2013-10-06
@totalcount

I described here how to properly set up your hosting on your server so that each site works under “its own” user.

K

kanuhamru, 2015-10-18
@kanuhamru

Here is the ideal solution, in my opinion: blog.netgusto.com/solving-web-file-permissions-pro...
Please comment on this method, I wonder what disadvantages it has.