How to set up a basic chroot jail on Debian Buster – Part II: PHP-FPM
Table of Contents
Many web applications use PHP as backends, which become PHP-FPM when combined with a webserver. Though PHP-FPM workers usually run unprivileged, they still have access to the root directory, which may lead to information leaks or potential security risks. Instead of disabling certain functions, it’s better to enable the chroot feature for PHP-FPM. We will use the chroot created last time at JAIL=/opt/chroot
.
One line to enable chroot
In /etc/php/7.3/fpm/pool.d/www.conf
, uncomment the following line:
chroot = /opt/chroot
Restart the service and no error message should be given. Good.
Make socket available inside the chroot
The default path for PHP-FPM socket is /run/php/php7.3-fpm.sock
, which is inaccessible inside the chroot. To resolve the problem, either change the path for the listening socket:
listen = /opt/chroot/run/php/php7.3-fpm.sock
or use mount --bind
to do a mapping:
mount --bind /run/php $JAIL/run/php
Repair timezone database
Copy timezone information:
cp -r /usr/share/zoneinfo $JAIL/usr/share
Finish
systemctl restart php7.3-fpm