how to prevent user from access another user file in php-fpm and nginx as suphp doing

Question

I'm using Nginx and PHP-FPM and have many users , every user has his own user name and group but I see that every php execeutes run as id,uid,gid nobody, also I know that php-fpm.conf has user and group config as nobody

I try to use pool but no luck

[website.com]
user = user1
group = user1
listen = /var/run/php5-fpm-user1.sock
listen.owner = user1
listen.group = user1
;listen.mode = 0666
pm = ondemand
pm.max_children = 5
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 3

but also evey php run as nobody

from php shell shown (even from user1)

uid=99(nobody) gid=99(nobody) groups=99(nobody)

ps -aux| grep nginx

root     11736  0.0  0.0 964508  2120 ?        Ss   13:14   0:00 nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf
root     11737  0.0  0.0 967460  4012 ?        S    13:14   0:00 nginx: worker process
root     11738  0.1  0.0 970668  5316 ?        S    13:14   0:01 nginx: worker process
root     11739  0.0  0.0 967588  4000 ?        S    13:14   0:00 nginx: worker process
root     11741  0.0  0.0 967464  4604 ?        S    13:14   0:00 nginx: worker process
root     11742  0.0  0.0 966428  3448 ?        S    13:14   0:00 nginx: worker process
root     11744  0.0  0.0 966428  3648 ?        S    13:14   0:00 nginx: worker process
root     11745  0.0  0.0 966428  3520 ?        S    13:14   0:00 nginx: worker process
root     11746  0.0  0.0 966428  3484 ?        S    13:14   0:00 nginx: worker process
root     11749  0.0  0.0 964672  2412 ?        S    13:14   0:00 nginx: cache manager process

ps -aux| grep php (for all another user expect user1)

root     11760  0.0  0.0 1232104 6512 ?        Ss   13:14   0:00 php-fpm: master process (/etc/php/php-fpm.conf)
nobody   13568  7.3  0.6 1307036 107936 ?      S    13:21   0:41 php-fpm: pool www
nobody   13627  7.6  0.6 1306808 111000 ?      S    13:22   0:37 php-fpm: pool www
nobody   13628  7.4  0.6 1291900 99348 ?       S    13:22   0:36 php-fpm: pool www
nobody   13629  7.0  0.6 1306748 109308 ?      S    13:22   0:33 php-fpm: pool www


ps -aux| grep user1

gerges   15586  7.0  0.0 1231908 13464 ?       S    13:32   0:00 php-fpm: pool san-gerges.com

from php shell from user1

uid=99(nobody) gid=99(nobody) groups=99(nobody)

The problem is that I can access another users files easily if folder permission is 755 also can I read the file content. The only way to avoid it is that I chmod all folders to 711, but it is not supported by some scripts

Is there anyway to prevent any user to access another user file and run the script as them owner using php-fpm and nginx like as what SuPHP doing exactly.

score 0 · Answer 1 · answered Sep 10 '19 at 11:01

0

Normally you would do a combination of php-fpm user binding with PHP open_basedir restriction to lock users in their own directory, ie:

/etc/php.ini

open_basedir = /home/username

https://www.php.net/manual/en/ini.core.php#ini.open-basedir

answered Sep 10 '19 at 11:01

storminteractive

11
2

how to prevent user from access another user file in php-fpm and nginx as suphp doing

1 Answers1