2

we know processing part is separate from database in load balancing.

in processing i use php-fpm. i have to select a linux user and group in php-fpm pool.

If I use root as user and group for php-fpm pool, is there any security issue?

These servers are only used for running a high traffic our website. There is no other user who will host website.

; Start a new pool named 'www'.
; the variable $pool can we used in any directive and will be replaced by the
; pool name ('www' here)
[www]

user = root
group = root

listen.owner = root
listen.group = root
listen.mode = 0660
Moin Uddin
  • 65
  • 1
  • 5
  • I fail to see the "loadbalancing" part of the question. You basically just ask whether running fpm pool as root is a bad idea. It is. A very bad one. Maybe you should rephrase the question. – jficz Nov 05 '17 at 20:08
  • I should not rephrase. you did not understand the broad side of question. php-fpm can be used in load balancing or shared environment. there are more than one user/customer in shared system. load balancing can have more than one user. but my load balancing has only one. no other user. since there is no other user except me, running fpm pool whether good or bad. i asked question from that context. – Moin Uddin Nov 05 '17 at 22:07

1 Answers1

3

If I use root as user and group for php-fpm pool, is there any security issue?

Yes, this is security issue indeed. Any vulnerability in PHP-FPM or (what is even worse) in any application handled by this PHP-FPM pool gives the attacker root access.

PHP-FPM was designed to run pools with non-root privileges, possibly different than www-server priveleges which is considered safer. Running pools with root priveleges is like the opposite to that.

Paweł Tatarczuk
  • 506
  • 3
  • 6