I have configured my server (an Ubuntu 22.04 machine) so that it is managed by Apache (v2.4.55) and php7.4-fpm. The current configuration allows every vhosts to be divided into specific php-fpm pools, and each of these pools running with different users.
Everything works fine, but security related only to users to control permissions (or based on open_basedir) cannot stop shell_exec (which I need) from accessing, for example, configuration files inside /etc, or doing an ls -l /var/.
What I would like, therefore, is a way to prevent a user from being able to go around and view linux's standard folders.
I don't want to get to the point of making calls like:
setfacl -Rm u:user_site1:--- /;
setfacl -Rm d:u:user_site1:--- /;
and then authorizing each fundamental folder one by one. It seems too messy.
I had therefore thought of using chroot inside each pool, but I was not able to do so because there was always a problem related to paths AH01071: Got error 'Primary script unknown', and all online solutions say to modify the ProxyPassMatch call based on port 9000, but I use SetHandler with sockets and I don't want to change this setting.
What are the possible techniques? Do I really have to install SELinux?
Below, I am adding my configurations to better understand the situation.
/etc/apache2/sites-enabled/www.site.com.conf
<VirtualHost *:80>
Protocols h2 h2c http/1.1
H2Direct on
ServerAdmin server@site.com
ServerName www.site.com
DocumentRoot /var/www/vhosts/www.site.com/httpdocs
ErrorLog /var/www/vhosts/www.site.com/log/error.log
CustomLog /var/www/vhosts/www.site.com/log/access.log combined
<FilesMatch ".+\.ph(ar|p|tml)$">
SetHandler "proxy:unix:/run/php/php7.4-fpm-www_site_com.sock|fcgi://localhost"
</FilesMatch>
</VirtualHost>
<VirtualHost *:443>
Protocols h2 h2c http/1.1
H2Direct on
ServerAdmin server@site.com
ServerName www.site.com
DocumentRoot /var/www/vhosts/www.site.com/httpdocs
ErrorLog /var/www/vhosts/www.site.com/log/error_ssl.log
CustomLog /var/www/vhosts/www.site.com/log/access_ssl.log combined
SSLEngine on
SSLCertificateFile /etc/ssl/certs/www.site.com.crt
SSLCertificateKeyFile /etc/ssl/private/www.site.com.key
<FilesMatch "\.(?:cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
<FilesMatch ".+\.ph(ar|p|tml)$">
SetHandler "proxy:unix:/run/php/php7.4-fpm-www_site_com.sock|fcgi://localhost"
</FilesMatch>
</VirtualHost>
/etc/php/7.4/fpm/php-fpm.conf
[global]
pid = /run/php/php7.4-fpm.pid
error_log = "syslog"
syslog.ident = php-fpm
include=/etc/php/7.4/fpm/pool.d/*.conf
/etc/php/7.4/fpm/pool.d/www_site_com.conf
[www.site.com]
user = user_site1
group = user_site1
listen = /run/php/php7.4-fpm-www_site_com.sock
listen.owner = user_site1
listen.group = www-data
pm = dynamic
pm.max_children = 5
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 3
