On Thu, 17 May 2018 11:26:54 +0000 (UTC) Stuart Henderson <s...@spacehopper.org> wrote: > No need to run multiple copies of php-fpm yourself, it handles multi > uid itself. Various ways to handle chroot as well, you can chroot them > separately, or use a shared chroot and rely on permissions. This > should give you some ideas:
I rather like the idea of separate chroots, or at least a chroot that would keep the listening socket out of reach. Separate sockets for separate users are not very useful if, for example, one user is allowed to fopen() another user's socket, for which the PHP function is just a thin wrapper over the C call. I'm quoting here from OpenBSD's stock configuration file (from ports & packages.) ==%<-- /etc/php-fpm.conf ; Set permissions for unix socket, if one is used. In Linux, read/write ; permissions must be set in order to allow connections from a web ; server. Many BSD-derived systems allow connections regardless of ; permissions. ; Default Values: user and group are set as the running user ; mode is set to 0660 listen.owner = www listen.group = www listen.mode = 0660 ; When POSIX Access Control Lists are supported you can set them using ; these options, value is a comma separated list of user/group names. ; When set, listen.owner and listen.group are ignored ;listen.acl_users = ;listen.acl_groups = ==%<-- I'm not trying to be hung up on PHP especially, either. This is rather a general issue, because we would have exactly the same problem in Perl, Python, Ruby, or any of several other popular web languages out there. On Thu, 17 May 2018 11:20:29 +0300 Vadim Zhukov <persg...@gmail.com> wrote: > Regarding su-php, I'd go with per-user php-fpm process, actually, > that's much safer, and rarely used ones can easily wait in swap Do you think I have thousands of customers, and the little people's web pages are taking too long to load? No, that's a whole other issue ... > (I feel that you're trying to pack as much users as possible). Ok, sure, but if you can't do that, then what is the point of a multi-user operating system, anyways? A one-user webserver? Because everybody has permission somehow or another to read everybody else's scripts and database passwords. So let's start with a much simpler use case: I need to be able to add a test user and try out some stupid or crazy web programming project or idea without risking my production stuff that happens to be hosted on the same machine. Customers do that anyways at any web hosting provider. > Did you ever looked in /etc/examples? "Jesus saith unto them, Did ye never read in the scriptures, ... ?" That's almost a little bit of a mess, because these are not actual settings applied to system configuration, and I would not have expected to find them in the /etc directory. I was looking for examples more in /usr/share somewhere before my system locate database was populated. That one (/etc/examples/httpd.conf) somewhat "encourages" https-only, without actually using hsts. That would be okay, except a lot of times I am at a coffee shop or similar, and I have to visit a plain http page to trigger a redirect for login, because I am not willing to waive the certificate validation error that I get when I try to visit a secure site from public wifi somewhere. > OpenBSD HTTPd is a web server, but not each web server is > fully-featured Apache HTTP Server replacement. So, yes, no UserDir. > If you need this functionality, then just install apache-httpd from > packages. Apache has plenty of its own shortcomings, and I'm sure there was good cause to throw it out of base OpenBSD.
