Table of Contents

Many web applications use PHP as backends, which become PHP-FPM when combined with a webserver. Though PHP-FPM workers usually run unprivileged, they still have access to the root directory, which may lead to information leaks or potential security risks. Instead of disabling certain functions, it’s better to enable the chroot feature for PHP-FPM. We will use the chroot created last time at JAIL=/opt/chroot.

One line to enable chroot

In /etc/php/7.3/fpm/pool.d/www.conf, uncomment the following line:

chroot = /opt/chroot

Restart the service and no error message should be given. Good.

Make socket available inside the chroot

The default path for PHP-FPM socket is /run/php/php7.3-fpm.sock, which is inaccessible inside the chroot. To resolve the problem, either change the path for the listening socket:

listen = /opt/chroot/run/php/php7.3-fpm.sock

or use mount --bind to do a mapping:

mount --bind /run/php $JAIL/run/php

Repair timezone database

Copy timezone information:

cp -r /usr/share/zoneinfo $JAIL/usr/share

Finish

systemctl restart php7.3-fpm