On Thu, 17 May 2018 11:26:54 +0000 (UTC)
Stuart Henderson <s...@spacehopper.org> wrote:
> No need to run multiple copies of php-fpm yourself, it handles multi
> uid itself. Various ways to handle chroot as well, you can chroot them
> separately, or use a shared chroot and rely on permissions. This
> should give you some ideas:
I rather like the idea of separate chroots, or at least a chroot that
would keep the listening socket out of reach. Separate sockets for
separate users are not very useful if, for example, one user is allowed
to fopen() another user's socket, for which the PHP function is just a
thin wrapper over the C call. I'm quoting here from OpenBSD's stock
configuration file (from ports & packages.)
; Set permissions for unix socket, if one is used. In Linux, read/write
; permissions must be set in order to allow connections from a web
; server. Many BSD-derived systems allow connections regardless of
; Default Values: user and group are set as the running user
; mode is set to 0660
listen.owner = www
listen.group = www
listen.mode = 0660
; When POSIX Access Control Lists are supported you can set them using
; these options, value is a comma separated list of user/group names.
; When set, listen.owner and listen.group are ignored
I'm not trying to be hung up on PHP especially, either. This is rather
a general issue, because we would have exactly the same problem in
Perl, Python, Ruby, or any of several other popular web languages out
On Thu, 17 May 2018 11:20:29 +0300
Vadim Zhukov <persg...@gmail.com> wrote:
> Regarding su-php, I'd go with per-user php-fpm process, actually,
> that's much safer, and rarely used ones can easily wait in swap
Do you think I have thousands of customers, and the little people's web
pages are taking too long to load? No, that's a whole other issue ...
> (I feel that you're trying to pack as much users as possible).
Ok, sure, but if you can't do that, then what is the point of a
multi-user operating system, anyways? A one-user webserver? Because
everybody has permission somehow or another to read everybody else's
scripts and database passwords.
So let's start with a much simpler use case: I need to be able to add a
test user and try out some stupid or crazy web programming project or
idea without risking my production stuff that happens to be hosted on
the same machine. Customers do that anyways at any web hosting
> Did you ever looked in /etc/examples?
"Jesus saith unto them, Did ye never read in the scriptures, ... ?"
That's almost a little bit of a mess, because these are not actual
settings applied to system configuration, and I would not have expected
to find them in the /etc directory. I was looking for examples more
in /usr/share somewhere before my system locate database was populated.
That one (/etc/examples/httpd.conf) somewhat "encourages" https-only,
without actually using hsts.
That would be okay, except a lot of times I am at a coffee shop or
similar, and I have to visit a plain http page to trigger a redirect
for login, because I am not willing to waive the certificate validation
error that I get when I try to visit a secure site from public wifi
> OpenBSD HTTPd is a web server, but not each web server is
> fully-featured Apache HTTP Server replacement. So, yes, no UserDir.
> If you need this functionality, then just install apache-httpd from
Apache has plenty of its own shortcomings, and I'm sure there was good
cause to throw it out of base OpenBSD.