Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Running PHP-FPM as a different user

Discussion in 'Security' started by StuB, Mar 8, 2019.

Tags:
  1. StuB

    StuB Registered

    Joined:
    Mar 8, 2019
    Messages:
    3
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    UK
    cPanel Access Level:
    Root Administrator
    I currently have a Centos 7 VPS running Cpanel 78 and I'm interested to know if there is any way to make PHP-FPM to run as a different user to the account holder.

    For example
    account username: bob
    phpfpm username: bob-php

    I ask as it would be useful to restrict php's write access to the files in the web folder in a similar way that when using DSO the files are owned by the user and the group is 'www-data' which allows them access.

    I've looked at the file /var/cpanel/userdata/bob/bob.co.uk.php-fpm.yaml and the options for changing the user parameters in there but when I try making alterations the PHP-FPM server won't restart.
     
  2. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,009
    Likes Received:
    2,123
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello @StuB,

    Changing the username or group name PHP-FPM runs as is unsupported, however I might be able to point you in the right direction for an alternative. Can you share a specific scenario or use-case you're attempting to address?

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. StuB

    StuB Registered

    Joined:
    Mar 8, 2019
    Messages:
    3
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    UK
    cPanel Access Level:
    Root Administrator
    Hi Michael,

    Thanks for the reply and I appreciate it not a supported feature.

    The issue is the server hosts a few different PHP based websites that we have a good understanding of the code that runs on them however we do run third party code such as Drupal and Wordpress. As you know these systems come with security ssues from time to time which we patch asap but looking to see if we enhance their isolation and security a little more.

    Using PHP-FPM we run PHP as the account owner which restricts any issues to that account which is good however I'd like to be able to restrict PHP's write access to files owned by the account to a few folders to stop any rogue scripts from creating or changing files.

    Currently as PHP runs as the account owner then it always has the ability to make these changes as it owns the files.

    When run as DSO, PHP only has group access to the files so it can be stopped from changes or creating files but doing this runs the risk of cross account problems if a site is exploited which is something that I want to avoid.

    There are certain areas where we have to allow PHP read/write access to the files so we can't just disable all file functions and we also need access to remote locations using curl.

    I was hoping it would be possible to have the best of both worlds by creating a separate web user for each account for PHP to run as and only give it group permissions to the files.

    For example

    account: test.com
    user: test
    web-user: www-test

    I noticed in the PHP-FPM pool configurations that there are settings for user, group, listen_owner etc and, after adding a www-test user and adding it to the test group, I have had a play via both the yaml files and the conf file directly but I've not managed to get it to run as www-test so clearly I'm missing something.

    The closest I managed was to have PHP-FPM restart correctly but when serving PHP files it would report an error of 'File not found'.

    I would hope that something like the above could potentially significantly improve security of a multi use server with minimal overhead compared to a normal PHP-FPM configuration.

    Any help or advice you can give or if I should be going about this in a different way would be greatly appreciated.
     
  4. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,009
    Likes Received:
    2,123
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello @StuB,

    While you might be able to adjust the PHP-FPM configuration settings to achieve what you're seeking to do, it's not something we've tested or can offer advice on. We provide a list of companies offering system administrations services if you'd like to explore that configuration with a system administrator:

    System Administration Services | cPanel Forums

    If you're open to an alternative solution, then setting up separate cPanel accounts with subdomains for each script you want to isolate is an approach that would give you the result you're looking for.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. StuB

    StuB Registered

    Joined:
    Mar 8, 2019
    Messages:
    3
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    UK
    cPanel Access Level:
    Root Administrator
    Hi @cPanelMichael

    Thanks for the reply and if I get nowhere and need to take it further then I'll look at your suggested companies.

    As for the idea of a separate subdomain for each script to be isolated the basic principle is good and and something I'll bear in mind but for this use I think there are too many scripts to handle this in a sensible way.
    Thanks again.
     
    cPanelMichael likes this.
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice