Hi Michael,
Thanks for the reply and I appreciate it not a supported feature.
The issue is the server hosts a few different PHP based websites that we have a good understanding of the code that runs on them however we do run third party code such as Drupal and Wordpress. As you know these systems come with security ssues from time to time which we patch asap but looking to see if we enhance their isolation and security a little more.
Using PHP-FPM we run PHP as the account owner which restricts any issues to that account which is good however I'd like to be able to restrict PHP's write access to files owned by the account to a few folders to stop any rogue scripts from creating or changing files.
Currently as PHP runs as the account owner then it always has the ability to make these changes as it owns the files.
When run as DSO, PHP only has group access to the files so it can be stopped from changes or creating files but doing this runs the risk of cross account problems if a site is exploited which is something that I want to avoid.
There are certain areas where we have to allow PHP read/write access to the files so we can't just disable all file functions and we also need access to remote locations using curl.
I was hoping it would be possible to have the best of both worlds by creating a separate web user for each account for PHP to run as and only give it group permissions to the files.
For example
account: test.com
user: test
web-user: www-test
I noticed in the PHP-FPM pool configurations that there are settings for user, group, listen_owner etc and, after adding a www-test user and adding it to the test group, I have had a play via both the yaml files and the conf file directly but I've not managed to get it to run as www-test so clearly I'm missing something.
The closest I managed was to have PHP-FPM restart correctly but when serving PHP files it would report an error of 'File not found'.
I would hope that something like the above could potentially significantly improve security of a multi use server with minimal overhead compared to a normal PHP-FPM configuration.
Any help or advice you can give or if I should be going about this in a different way would be greatly appreciated.