php-fpm socket created in nginx chroot jail - does it break security?

Gregosky · 2013-08-25 23:53:48

Hi,

I have had some time building new devel box to play with php.

I have done some reading and found out MySQL is now replaced by MariaDB fork and come up to the conclusion I won't use any of them as clearly there is some business (on both sites, Oracle and Mr. Monty) going on here I don't think will do any good and I decided to go for PostgreSQL.

Then I found nice comparison showing that there is this nice alternative to Apache - nginx which might be faster and consume less memory on my vps (article) and in the same time drop less users if site is more busy than usually. So nginx we go.

I followed wiki and built nginx + php-fpm. The proposed set-up includes locking nginx in chroot jail and so I did. HTML worked ok out of the box however php was giving no joy:

/run/php-fpm/php-fpm.sock failed (2: No such file or directory)

More reading gave me an idea that wiki might be wrong and this set-up won't work unless two additional steps - letting php-fpm know that it should look at another chroot and - in the same config file - forcing socket to be created in /run/php-fpm/ directory in nginx's chroot. Setting those two results in php cooperating well with chrooted nginx.

So here is my question (apologies for quite too long preface) - is it safe? Do I loose whole idea of chroot jail by asking php-fpm to create its socket in /run/php-fpm/ directory of chrooted environment?

I will appreciate if you can share your thoughts on this one.

Thanks,
Greg

--- edit (27-08-2013)

Maybe I asked this question in the wrong place or maybe I asked it stupid way.. Anyway - I was thinking about that problem and come up to a conclusion that answer might depend.
My ultimate goal was not to use TCP socket because of its speed drawback when compared to php-fpm.sock.
Also php-fpm was not running in chroot jail. I failed to set this up and I believe 'chroot' option does not change anything, at least on my build (and probably it should not as I was not copying any php related files to nginx chroot environment):

# ps -ef | grep php-fpm

root      9921     1  0 Aug26 ?        00:00:13 php-fpm: master process (/etc/php/php-fpm.conf)              
http      9922  9921  0 Aug26 ?        00:00:00 php-fpm: pool www                                            
http      9923  9921  0 Aug26 ?        00:00:00 php-fpm: pool www

I was a bit surprised to see that php-fpm master process is being run by root... and no chroot at all.
So I ask myself a question if in such circumstances moving socket to chroot jail will change anything? I think no. If attacker exploits php-fpm will get access to the real root and even worst - I might be wrong but probably php-fpm master process being run as root is bigger threat.

So even though my explanation might not hold I guess I answered my question myself.

I think real question should be - was anyone successful building php-fpm into chroot jail and having it working with nginx running from the same chroot jail?

Last edited by Gregosky (2013-08-27 21:36:07)

Alambre · 2013-08-29 22:20:27

cat /etc/systemd/system/php5-fpmc.service
[Unit]
Description=The PHP FastCGI Process Manager
After=network.target

[Service] 
Type=forking
#PIDFile=/var/run/php5-fpm.pid
PIDFile=/media/root-samsu/chroot-arch/pids/php-fpm.pid
RootDirectory=/media/root-samsu/chroot-arch
ExecStartPre=sh -c 'errors=$(/usr/sbin/php-fpm --fpm-config /etc/php/php-fpm.conf -t 2>&1 | grep "\[ERROR\]"); if [ -n "$errors" ]; then echo "Please fix your configuration file..."; echo $errors; exit 1; fi'
ExecStart=/usr/sbin/php-fpm 
#--fpm-config /etc/php/php-fpm.conf
ExecReload=/bin/kill -USR2 $MAINPID

[Install]
WantedBy=multi-user.target

cat  /etc/php/php-fpm.conf | grep -v ";" |grep -v "^$"
[global]
pid = /pids/php-fpm.pid
[www]
user = http
group = http
listen = 9005
listen.owner = http
listen.group = http
listen.mode = 0660
pm = dynamic
pm.max_children = 15
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 7
security.limit_extensions = .php .php3 .php4 .php5 .html .htm

if it were me, would place the sockets in the folder where I put pids, (if same user, and same permisions (php and nginx)) is to easy if you manualy chroot an fix permisions) check/look as you see the permissions on folders, if dont use socket for a long time, but i test it (i can't rewrote nginx config)
listen = /pids/php-fpm_Domaintolisten.socket

Last edited by Alambre (2013-08-29 22:39:28)

Gregosky · 2013-08-29 22:30:40

Alambre, I'm doing so - pid is being created in the same folder as socket (in nginx chroot) however php-fpm is not running from that chroot. I'm guessing in order to have it done properly I need to copy some php-fpm related bins and libs to have it working but at the moment it's beyond my skills.
I failed to find related information by googling for it and my books don't mention anything about exploiting sockets/pids from chroot jail so at the moment I have two choices - either be paranoid (which I should be) and change to TCP sockets (slower) or accept the risk until I find the way to make php-fpm to chroot into the same chroot jail.
Funny thing - in php-fpm.conf there is a parameter called `chroot` which I can set to nginx chroot however it does not affect how service is running (it runs from real root)... Could you advice on that?

Alambre · 2013-08-29 22:47:09

do you see the socket file?
listen = where/x.socket?
in right location?

from host
ps aux | grep php
root      1648  0.0  0.1  47956   288 ?        Ss   ago28   0:08 php-fpm: master process (/etc/php/php-fpm.conf)
[....]
ps aux | grep nginx
root      1983  0.0  0.0  24072   112 ?        Ss   ago28   0:00 nginx: master process /usr/sbin/nginx

please paste your .service config or how you chroot

PD: i make a full chroot jail https://wiki.archlinux.org/index.php/Archbootstrap my initial problem have here /chroot_dir/etc/passwd the id from host and id from chroot mismatch is to easy if your host isnt archlinux and on default ids mismatch, or you set other id on chroot jail, the first process is root (id 0 form chroot) but a rest is a user whit another id
if you use chroot string a problem is where locate a socket file (absolute path, and permisions (chroot $(chroot process)))
PD2 maybe by another name being understood the basic idea

ps aux | grep php
root      1648  0.0  0.1  47956   288 ?        Ss   ago28   0:09 php-fpm: master process (/etc/php/php-fpm.conf)
www-data  9653  0.0  1.6  48404  4180 ?        S    ago28   0:00 php-fpm: pool www

or only see a uid in number

Last edited by Alambre (2013-08-29 23:40:11)

Arch Linux

#1 2013-08-25 23:53:48

php-fpm socket created in nginx chroot jail - does it break security?

#2 2013-08-29 22:20:27

Re: php-fpm socket created in nginx chroot jail - does it break security?

#3 2013-08-29 22:30:40

Re: php-fpm socket created in nginx chroot jail - does it break security?

#4 2013-08-29 22:47:09

Re: php-fpm socket created in nginx chroot jail - does it break security?

Board footer