2

I would like to configure a Centos 7 Apache 2.4 Linode to use php-fpm to execute php as the file owner. The docs for earlier Centos6 / Apache2.2 don't work and the configurations I have seen for setting up Lamp servers on Centos7 just run as the apache user. Are there any good tutorials to do this, or can someone provide the configuration files and virtual host directives need to do so? Thanks.

Town Websites
  • 21
  • 1
  • 3

2 Answers2

0

A partially educated self-response. php-fpm, unlike suphp, does not allow running as the script owner but instead allows setting up pools that specify a user and group to run as.

In Centos 7 with Apache 2.4, I found these declarations in /etc/php-fpm.d as www.conf. I created a duplicate of this file and put in one virtual hosts's username as user and group, and set the listen port to 9001 instead of 9000 (each requires a unique port on localhost socket). Then in each virtualhost declaration, you specify the same port with a line like below:

ProxyPassMatch ^/(..php(/.)?)$ fcgi://127.0.0.1:9001/home/dancenew/public_html/dneuser/$1

Note the above ProxyPassMatch is vulnerable to exploits, see CAVEATS in the Apache WIKI documentation at https://wiki.apache.org/httpd/PHP-FPM . Perhaps someone can provide a clear guide on how to avoid that exploit rather than leaving it as an exercise for the undereducated implementer ... I recall NGINX examples having similar problems even in what was considered solid example code that got copied by a lot of websites ...

Town Websites
  • 21
  • 1
  • 3
0

The solution you propose does have an additional potential security concern besides the one mentioned in the article you link to in your answer....because of the way that OpCache (by default) shares a single cache across all users on a shared hosting environment. A bug has been submitted (and you can, and should, go and vote to let the maintainers know how important this might be for your use case) though no commitment has been made on delivering a fix.

TL;DR : By default when OpCache is enabled, the cache that is used to store compiled byte-code is shared across all users. In an environment where hosting is shared between multiple sites / users, this can result in a site grabbing the cached output of php scripts from another site or, if specific security settings are enabled even generating errors.

If you plan on using PHP-FPM with PHP 5.5+'s built in opcache, please read the blog post below before you actually do that. Turns out that the opcode cache can be read by any user on the server. This means that if there are say, 10 separate users, with their own vhosts and directories, and you configure one PHP-FPM pool per user, each user can still see what scripts are cached and their locations. Since they have read access to the cache they could potentially view all this data.

This is obviously a massive security concern, and even if no one exploits this, there is still a chance of scripts being read by the wrong user when generating a page, so websites could possibly be displaying the wrong data / info if there are multiple index.php scripts in the cache.

Although no fix has been officially released, if you're using cPanel, this wiki has a documented way of configuring the php-fpm pools to be created and secured on a per-user basis and if you follow the instructions below as well as the IMPORTANT NOTES at the bottom of this answer you should be able to get the functionality you desire without any errors

That post also documents how you might configure this by hand on a per-site/per-user basis (though I'd wager that might become tedious if you're hosting a lot of sites). If you're not using cPanel, you may need to modify the scripts to specify your individual paths and usernames instead of the variables being used by cPanel's config engine.

IMPORTANT NOTES

During testing and additional research I came across this article which provide a few clarifications that may be relevant to your specific situation:

  1. You need to make sure that the opcache.use_cwd parameter is set to true for your application's configuration of OpCache - it's set to false by default and leaving it set to default will probably cause collisions if you're hosting more than one PHP application on your system:

First of all, probably in each typical project you will have to ensure that the opcache.use_cwd option is set to true. Enabling this setting means that the OpCache engine will look at the full file paths to distinguish between files with the same names. Setting it to false will lead to collisions between files with the same base name.

  1. If you're running an application powered by Zend Framework or another similar framework that makes use of annotations, you ALSO need to ensure that the opcache.load_comments and opcache.save_comments directives are set to true. You should double-check this suggestion with your application / framework documentation as most have now updated their docs with specific instructions on enabling the use of OpCache properly for their systems:

There is also a setting that is important in tools and frameworks that make use of annotations. If you use Doctrine, Zend Framework 2 or PHP Unit, remember to set the opcache.load_comments and opcache.save_comments settings to true. In result, the documentation comments from your files will also be included in the precompiled code generated by OpCache. This setting will allow you to work with annotations without any disruptions.

If your project is based on a specific framework or a web application, it’s always a good idea to check the documentation for any guidelines regarding the OpCache configuration

IMPORTANT NOTES

Hopefully this helped - and if you're using cPanel, drop a comment to let us know how you tackled that portion of the configuration! See also this question and associated comments.

Community
  • 1
Bryan 'BJ' Hoffpauir Jr.
  • 304
  • 3
  • 10