Apache 2.4 with FastCGI php5-fpm on ubuntu 14.04

Question

I am trying to replace SuPHP with FastCGI. Earlier, I had folders with different owners and groups. Each group had www-data as a member as well. When any php file was run using the browser, it was run as the owner of the file. So if a file was owned by user A (Group A - www-data and A as members), it was executed as user A

shell_exec('whoami') => return A

Now, I installed fastcgi and have configured it to run PHP files.

Here is my php5-fpm.conf file

<IfModule mod_fastcgi.c>
                AddHandler php5-fcgi .php
                Action php5-fcgi /php5-fcgi
                Alias /php5-fcgi /usr/lib/cgi-bin/php5-fcgi
                FastCgiExternalServer /usr/lib/cgi-bin/php5-fcgi -socket /var/run/php5-fpm.sock -pass-header Authorization
        </IfModule>

My issue is, now when I run the same file which is owned by A,

shell_exec('whoami') => return www-data

What am I doing wrong?

Answer 1

You can replace suPHP with FastCGI+PHP-FPM but you'll need to setup a FPM pool per user and a virtual host per user (as you will need separate FastCgiExternalServer directives per user/pool and those are only valid per-virtualhost).

For example, in a given virtual root:

<FilesMatch "\.php$">
  SetHandler php5-fcgi
</FilesMatch>
Action php5-fcgi /php5-fcgi-username
Alias /php5-fcgi-username /usr/lib/cgi-bin/php5-fcgi-username
FastCgiExternalServer /usr/lib/cgi-bin/php5-fcgi-username -socket /var/run/php5-fpm-username.sock -pass-header Authorization

and then in the FPM pool configuration you can use something like:

listen = /var/run/php5-fpm-username.sock
listen.owner = www-data
listen.group = www-data
listen.mode=0660
user = ownerusername
group = ownerusergroup
pm = ondemand
pm.max_children = 30
pm.process_idle_timeout = 120s
pm.max_requests = 50000
catch_workers_output = yes

The listen.owner and listen.group FPM pool parameters are the user/group of the web server (that user is the only one allowed to connect to the PHP-FPM socket).

The user and group FPM pool parameters are the user and group used to run the PHP scripts.

If you have 10 users, you'll need 10 FPM pools.

Performance is a much better with FastCGI+PHP-FPM when having lots of hits but configuration tuning is harder. For a site/application with not-so-many hits per second, I really would not bother with FastCGI and PHP-FPM. Besides, with suPHP you get per-user php.ini that you can edit without restarting the web server, with PHP-FPM all pools share the same php.ini and you need to restart the FPM daemon to reload it.

Answer 2

whoami just shows you your current user, under which the current script is running.

In ubuntu via fastcgi you run your scripts as www-data user, not as a user who owns that file. This is by design, it helps you to restrict web scripts from accessing the files they don't allowed to access. If you need to change this behavior, you need to change user apache is running somewhere in config files.

On my system this is specified in /etc/apacyhe2/envvars by setting these two environment variables:

export APACHE_RUN_USER=www-data
export APACHE_RUN_GROUP=www-data