View Single Post
  #2   (View Single Post)  
Old 4th January 2013
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Several months ago I began experimenting with php-fpm FastCGI appservers and nginx webservers under OpenBSD. The environment remains in the lab only and is not yet in production.

All app and web servers run chrooted. The environment is further secured with read-only access to .php code by the appservers, making it more difficult for arbitrary injected code to be executed. PHP on OpenBSD includes the Suhosin security features as well.

Running PHP chrooted requires having the complete set of executables and libraries within the chroot structure. I use a small script after upgrades to refresh the php chrooted environment:
Code:
#!/bin/sh
cd /var/www
tar cf - `ls -d /etc/php* /usr/local/{lib,bin,sbin}/php*` | tar xpf -
tar cf - `ldd /usr/local/sbin/php* | grep usr | awk '{print $7}'` | tar xpf -
Reply With Quote