Several months ago I began experimenting with php-fpm FastCGI appservers and nginx webservers under OpenBSD. The environment remains in the lab only and is not yet in production.
All app and web servers run chrooted. The environment is further secured with read-only access to .php code by the appservers, making it more difficult for arbitrary injected code to be executed. PHP on OpenBSD includes the Suhosin security features as well.
Running PHP chrooted requires having the complete set of executables and libraries within the chroot structure. I use a small script after upgrades to refresh the php chrooted environment:
Code:
#!/bin/sh
cd /var/www
tar cf - `ls -d /etc/php* /usr/local/{lib,bin,sbin}/php*` | tar xpf -
tar cf - `ldd /usr/local/sbin/php* | grep usr | awk '{print $7}'` | tar xpf -