[英]Creating per-user php5-fpm pools the secure way
When creating per-user php5-fpm pools on an Apache mod_fastcgi setup which of the following is the most secure way and efficient way of granting webserver permissions to the PHP pool? 在Apache mod_fastcgi上创建每用户php5-fpm池时,以下哪种方法是向PHP池授予Web服务器权限的最安全方式和有效方式?
Set the group to www-data
: 将组设置为
www-data
:
listen.owner = username
listen.group = www-data
listen.mode = 0660
user = username
group = www-data
While this works files created by PHP would have the ownership set to username:www-data while files uploaded via SCP will have username:username . 虽然这个由PHP创建的文件将所有权设置为用户名:www-data,而通过SCP上传的文件将具有用户名:username 。
Add www-data
to the supplementary group username
: 将
www-data
添加到补充组username
:
listen.owner = username
listen.group = username
listen.mode = 0660
user = username
group = username
- -
usermod -aG username www-data
Which of these options are secure? 哪些选项是安全的? You may also share a better method.
您也可以分享更好的方法。
I checked the following guides: 我检查了以下指南:
But they were all written before bug #67060 was discovered and fixed. 但它们都是在发现并修复了#67060号错误之前编写的。
I am using following setup on my LEMP (Nginx + PHP-FPM). 我在我的LEMP(Nginx + PHP-FPM)上使用以下设置。 For Apache this should also be applicable.
对于Apache,这也应该适用。
PHP-FPM runs several pools as nobody:user1
, nobody:user2
... PHP-FPM作为
nobody:user1
运行多个池nobody:user1
, nobody:user2
...
Nginx runs as nginx:nginx
Nginx运行为
nginx:nginx
User nginx
is a member of each user1
, user2
.. groups: 用户
nginx
是每个user1
, user2
.. groups的成员:
# usermod -a -G user5 nginx
File permissions: 文件权限:
root:root drwx--x--x /home
user1:user1 drwx--x--- /home/user1 (1)
user1:user1 rwxr-x--- /home/user1/site.com/config.php (2)
user1:user1 drwxrwx--- /home/user1/site.com/uploads (3)
nobody:user1 rw-rw---- /home/user1/site.com/uploads/avatar.gif (4)
(1) User's home dir has no x
permission for other
, so php-fpm pool running as nobody:user2
will not have access to /home/user1
and vice versa. (1)用户的主目录没有
other
x
权限,因此运行为nobody:user2
php-fpm池将无法访问/home/user1
,反之亦然。
(2) php script doesn't have w
for group
, so it cannot create files in htdocs. (2)php脚本没有
w
用于group
,因此无法在htdocs中创建文件。
(3) On uploads
dir we should manually enable write access for group user1
, to enable php script to put files there. (3)在
uploads
目录时,我们应该为组user1
手动启用写访问,以启用php脚本将文件放在那里。 Don't forget to disable php handler for uploads
, in nginx this is made by 不要忘记禁用
uploads
php处理程序,在nginx中这是由
server {
....
location ^~ /uploads/ { }
but for Apache you should check. 但对于Apache你应该检查。
(4) uploaded files should also have w
for group
if we want user1
to be able to edit these files later via ftp or ssh (logging in as user1:user1
). (4)如果我们希望
user1
能够稍后通过ftp或ssh编辑这些文件(以user1:user1
登录),则上传的文件也应该有w
用于group
。 Php code is also editable via ftp since user1
is its owner
. Php代码也可以通过ftp编辑,因为
user1
是它的owner
。
Nginx will have read
access to all users and write
access to all user's uploads since user nginx
is a member of each user1
, user2
, ... groups. 由于用户
nginx
是每个user1
, user2
,...组的成员,因此Nginx将具有对所有用户的read
访问权以及对所有用户上传的write
访问权。 You should not forget to add it to all later groups. 您不应忘记将其添加到所有后续组中。 You can also modify
useradd
script to do it automatically. 您还可以修改
useradd
脚本以自动执行此操作。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.