Running PHP-FPM as a different user

StuB

Registered
Mar 8, 2019
3
1
3
UK
cPanel Access Level
Root Administrator
I currently have a Centos 7 VPS running Cpanel 78 and I'm interested to know if there is any way to make PHP-FPM to run as a different user to the account holder.

For example
account username: bob
phpfpm username: bob-php

I ask as it would be useful to restrict php's write access to the files in the web folder in a similar way that when using DSO the files are owned by the user and the group is 'www-data' which allows them access.

I've looked at the file /var/cpanel/userdata/bob/bob.co.uk.php-fpm.yaml and the options for changing the user parameters in there but when I try making alterations the PHP-FPM server won't restart.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,910
2,213
363
Hello @StuB,

Changing the username or group name PHP-FPM runs as is unsupported, however I might be able to point you in the right direction for an alternative. Can you share a specific scenario or use-case you're attempting to address?

Thank you.
 

StuB

Registered
Mar 8, 2019
3
1
3
UK
cPanel Access Level
Root Administrator
Hi Michael,

Thanks for the reply and I appreciate it not a supported feature.

The issue is the server hosts a few different PHP based websites that we have a good understanding of the code that runs on them however we do run third party code such as Drupal and Wordpress. As you know these systems come with security ssues from time to time which we patch asap but looking to see if we enhance their isolation and security a little more.

Using PHP-FPM we run PHP as the account owner which restricts any issues to that account which is good however I'd like to be able to restrict PHP's write access to files owned by the account to a few folders to stop any rogue scripts from creating or changing files.

Currently as PHP runs as the account owner then it always has the ability to make these changes as it owns the files.

When run as DSO, PHP only has group access to the files so it can be stopped from changes or creating files but doing this runs the risk of cross account problems if a site is exploited which is something that I want to avoid.

There are certain areas where we have to allow PHP read/write access to the files so we can't just disable all file functions and we also need access to remote locations using curl.

I was hoping it would be possible to have the best of both worlds by creating a separate web user for each account for PHP to run as and only give it group permissions to the files.

For example

account: test.com
user: test
web-user: www-test

I noticed in the PHP-FPM pool configurations that there are settings for user, group, listen_owner etc and, after adding a www-test user and adding it to the test group, I have had a play via both the yaml files and the conf file directly but I've not managed to get it to run as www-test so clearly I'm missing something.

The closest I managed was to have PHP-FPM restart correctly but when serving PHP files it would report an error of 'File not found'.

I would hope that something like the above could potentially significantly improve security of a multi use server with minimal overhead compared to a normal PHP-FPM configuration.

Any help or advice you can give or if I should be going about this in a different way would be greatly appreciated.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,910
2,213
363
Hello @StuB,

While you might be able to adjust the PHP-FPM configuration settings to achieve what you're seeking to do, it's not something we've tested or can offer advice on. We provide a list of companies offering system administrations services if you'd like to explore that configuration with a system administrator:

System Administration Services | cPanel Forums

The issue is the server hosts a few different PHP based websites that we have a good understanding of the code that runs on them however we do run third party code such as Drupal and Wordpress. As you know these systems come with security ssues from time to time which we patch asap but looking to see if we enhance their isolation and security a little more.
If you're open to an alternative solution, then setting up separate cPanel accounts with subdomains for each script you want to isolate is an approach that would give you the result you're looking for.

Thank you.
 

StuB

Registered
Mar 8, 2019
3
1
3
UK
cPanel Access Level
Root Administrator
Hi @cPanelMichael

Thanks for the reply and if I get nowhere and need to take it further then I'll look at your suggested companies.

As for the idea of a separate subdomain for each script to be isolated the basic principle is good and and something I'll bear in mind but for this use I think there are too many scripts to handle this in a sensible way.
Thanks again.
 
  • Like
Reactions: cPanelMichael

backblaze

Member
May 17, 2010
17
0
51
this is very strange to me that cPanel devs dont understand how security must be adjusted for php-fpm.
they still have single php-fpm master config that pulls all the users pools.
no separate php-fpm.conf file for each account.

what to say about other issues like above... php-fpm must be configured as different user, with "setfacl" finetuning.
so we allow php-fpm to access everything but write only into specific folders. (chmod/chown sucks)

i was testing php-fpm implementation in the ealry stages, but looks like all my messages were ignored, and no one ever replied.
this is only few lines of code in your account management scripts to set everything.

while every cpanel addon/plugin with php-fpm+nginx works as expected, but only cpanel devs dont know how to do it.

the same issues you have with nginx. hm
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,910
2,213
363
Hello @backblaze,

I recommend submitting your feedback on our feature request property:

Submit A Feature Request

Here's the format to follow when opening the request:

As a {cPanel User, System Administrator, web-hosting provider, or any other user perspective}, I would like {the feature that is being requested} so that {benefit that the request adds to the product}.

A benefit to opening a feature request (as opposed to a forums thread) with this type of feedback is that requests on our feature request property are directly review by staff members in Development. Feel free to share the feature request link here once it's approved and I'll share it to spread awareness.

Thank you.