以安全的方式创建每用户php5-fpm池
[英]Creating per-user php5-fpm pools the secure way
问题描述
When creating per-user php5-fpm pools on an Apache mod_fastcgi setup which of the following is the most secure way and efficient way of granting webserver permissions to the PHP pool? 
在Apache mod_fastcgi上创建每用户php5-fpm池时,以下哪种方法是向PHP池授予Web服务器权限的最安全方式和有效方式?
Option 1: 选项1:
Set the group to www-data : 将组设置为www-data :
listen.owner = username
listen.group = www-data
listen.mode = 0660
user = username
group = www-data
While this works files created by PHP would have the ownership set to username:www-data while files uploaded via SCP will have username:username . 虽然这个由PHP创建的文件将所有权设置为用户名:www-data,而通过SCP上传的文件将具有用户名:username 。
Option 2: 选项2:
Add www-data to the supplementary group username : 将www-data添加到补充组username :
listen.owner = username
listen.group = username
listen.mode = 0660
user = username
group = username
- -
usermod -aG username www-data
Which of these options are secure? 哪些选项是安全的? You may also share a better method. 您也可以分享更好的方法。
I checked the following guides: 我检查了以下指南:
- http://www.howtoforge.com/php-fpm-nginx-security-in-shared-hosting-environments-debian-ubuntu http://www.howtoforge.com/php-fpm-nginx-security-in-shared-hosting-environments-debian-ubuntu
- http://www.binarytides.com/php-fpm-separate-user-uid-linux/ http://www.binarytides.com/php-fpm-separate-user-uid-linux/
But they were all written before bug #67060 was discovered and fixed. 但它们都是在发现并修复了#67060号错误之前编写的。
1 个解决方案
解决方案1
0 2017-10-08 10:58:59
I am using following setup on my LEMP (Nginx + PHP-FPM). 我在我的LEMP(Nginx + PHP-FPM)上使用以下设置。 For Apache this should also be applicable. 对于Apache,这也应该适用。
PHP-FPM runs several pools as nobody:user1 , nobody:user2 ... PHP-FPM作为nobody:user1运行多个池nobody:user1 , nobody:user2 ...
Nginx runs as nginx:nginx Nginx运行为nginx:nginx
User nginx is a member of each user1 , user2 .. groups: 用户nginx是每个user1 , user2 .. groups的成员:
# usermod -a -G user5 nginx
File permissions: 文件权限:
root:root drwx--x--x /home
user1:user1 drwx--x--- /home/user1 (1)
user1:user1 rwxr-x--- /home/user1/site.com/config.php (2)
user1:user1 drwxrwx--- /home/user1/site.com/uploads (3)
nobody:user1 rw-rw---- /home/user1/site.com/uploads/avatar.gif (4)
(1) User's home dir has no x permission for other , so php-fpm pool running as nobody:user2 will not have access to /home/user1 and vice versa. (1)用户的主目录没有other x权限,因此运行为nobody:user2 php-fpm池将无法访问/home/user1 ,反之亦然。
(2) php script doesn't have w for group , so it cannot create files in htdocs. (2)php脚本没有w用于group ,因此无法在htdocs中创建文件。
(3) On uploads dir we should manually enable write access for group user1 , to enable php script to put files there. (3)在uploads目录时,我们应该为组user1手动启用写访问,以启用php脚本将文件放在那里。 Don't forget to disable php handler for uploads , in nginx this is made by 不要忘记禁用uploads php处理程序,在nginx中这是由
server {
....
location ^~ /uploads/ { }
but for Apache you should check. 但对于Apache你应该检查。
(4) uploaded files should also have w for group if we want user1 to be able to edit these files later via ftp or ssh (logging in as user1:user1 ). (4)如果我们希望user1能够稍后通过ftp或ssh编辑这些文件(以user1:user1登录),则上传的文件也应该有w用于group 。 Php code is also editable via ftp since user1 is its owner . Php代码也可以通过ftp编辑,因为user1是它的owner 。
Nginx will have read access to all users and write access to all user's uploads since user nginx is a member of each user1 , user2 , ... groups. 由于用户nginx是每个user1 , user2 ,...组的成员,因此Nginx将具有对所有用户的read访问权以及对所有用户上传的write访问权。 You should not forget to add it to all later groups. 您不应忘记将其添加到所有后续组中。 You can also modify useradd script to do it automatically. 您还可以修改useradd脚本以自动执行此操作。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.