0

I'm running nginx 1.10.1 on OpenBSD 6.0 with the packages php-7.0.8p0, php-curl-7.0.8p0, php-fastcgi-7.0.8p0, php-gd-7.0.8p0, php-mcrypt-7.0.8p0, php-mysqli-7.0.8p0, mariadb-client-10.0.25v1 and mariadb-server-10.0.25p0v1.

I have several MediaWiki 1.27.1 installations, one pool for images and several language wikis accessing the pool. Each installation has its own virtual subdomain configured in nginx.

php70_fpm runs chrooted, /etc/php-fpm.conf looks like this:

chroot = /path/to/chroot/jail

listen = /path/to/chroot/jail/run/php-fpm.sock

/etc/nginx/nginx/sites-available/en.domain.com looks like this:

fastcgi_pass   unix:run/php-fpm.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

/etc/my.cnf looks like this:

port            = 1234
socket          = /path/to/mysql.sock
bind-address    = 127.0.0.1
skip-external-locking
#skip-networking

When I try to fetch image descriptions from pool.domain.com on en.domain.com, I'm getting a "Couldn't resolve host pool.domain.com" error.

As soon as I run php_fpm without chroot, file descriptions are fetched from the pool without any problem.

I don't want to copy stuff from /etc into /path/to/chroot/jail so what can I do? Are there some PHP 7 modules I could use? Do I have to play around with unbound?

Any help is more than welcome!

Thanks and cheers,

Till

Till Kraemer
  • 15
  • 1
  • 6

1 Answers1

1

You seem to be missing required files / libraries for name resolution to work.

The minimum you need is /etc/resolv.conf. If adding this file does not help, you need to find out which libraries are missing from the chroot jail by using the ldd utility.

Tero Kilkanen
  • 36,796
  • 3
  • 41
  • 63
  • Thanks for your reply! But doesn't copying stuff like resolv.conf into the chroot jail kinda undermine the concept of having a chroot? – Till Kraemer Sep 18 '16 at 18:52
  • 1
    No, it does not undermine anything. The main point of having a chroot is to prevent PHP scripts from one website accessing data of other websites via normal filesystem operations. This restricts possible damage of a compromise via exploit to only that website in the chroot. But the fact is that there are several pieces of system code / settings that needs to be in the chroot jail in order for it to work properly, because libraries and system directories are outside the chroot and therefore inaccessible. For example, `/proc`, `/dev`, `/sys` need to be there too. – Tero Kilkanen Sep 18 '16 at 19:53
  • Okay. Copying /etc/resolv.conf to /path/to/chroot/jail/etc works. I just thought I wasn't supposed to do that. Thanks for your help! – Till Kraemer Sep 18 '16 at 20:31