A Stone Bell

Deep and Sonorous, or maybe just a Dull Thud?


Running PHP securely under apache

The PHP Users

These have to be real Linux users and I suggest that all they do is own the website. I created my equipel user by

adduser equipel –shell=/usr/sbin/nologin –no-create-home -home /nonexistant –disabled-login –gecos “equipel website owner,,,”

This line requires no further input to create a valid user which has no home, no password and no login shell. In effect all it can do is own files, which is precisely what we want. This is the user and group setting in the/etc/php/7.0/fpm/pool.d/equipel.co.uk.conf file.

and, of course set the ownership of the website files

chown equipel:equipel /var/www/equipel.co.uk -R

It might seem strange that it all still works if you forget to do this, but it will because Apache needs access to the non-php files so it also has access to PHP ones, however the whole point is to restrict PHP scripts’ access to other folders. If the files remain owned by www-data then there is still the possibility of a “break out” and cross site contamination if one site gets hacked, whatever other advantages we might gain from using PHP-FPM.

- No Comments on this Post -