|
OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below. |
|
Thread Tools | Display Modes |
|
|||
OpenBSD & SFTP ChrootDirectory !
hi.
i have test user. in sshd_config i set ChrootDirectory for test user to /home/test. i want test user access to /var/www/test/public_html. we know pathname in ChrootDirectory must be root-owned, so if i set owner of /var/www/test to root, php-fpm can't access to this folder.(group is www) how do i can? NFS is good. but i dont know about security or performance. and OpenBSD does not support mount --bind. |
|
|||
Quote:
i think we are in jail. but i find better solution for this shortage. i set ChrootDirectory to /var/www i think is better if no exists any security problem in later. |
|
|||
what is your comment about my idea?
|
|
||||
If you set the ChrootDirectory to /var/www, you are giving the chrooted ssh/sftp user filesystem access to your entire web server environment. Every virtual server, all PHP scripts, all data stored in files.
Is that your intent? If the purpose of the chroot() is to isolate the untrusted user to a single virtual server that uses PHP, then set that single instance of php-fpm to use an isolated group and user instead of www:www. |
|
||||
I have tested ChrootDirectory use with php script uploads. It works fine.
|
|
|||
Quote:
Quote:
so /var/www/ is isolated. |
|
||||
If I understand your use-case correctly, you have multiple virtual servers providing service through a single webserver and single php-fpm instance:
Code:
[virtual webserver A][virtual webserver B][virtual webserver C] | | [webserver] | | [php-fpm]
|
|
|||
Quote:
please let me to describe structure of system. this is folders structure: /var/www/ Code:
drwxr-xr-x 2 root deamon .... bin drwxr-xr-x 2 root deamon .... run drwxr-xr-x 2 root deamon .... usr drwxr-x--- 2 root deamon .... cgi-bin drwxr-x--- 2 root deamon .... logs drwxr-x--- 2 UserA www .... UserA drwxr-x--- 2 UserB www .... UserB Code:
drwx------ 2 root deamon .... logs drwx------ 2 UserA deamon .... tmp drwxr-x--- 2 UserA www .... public_html /etc/php-fpm.d/UserA.conf Code:
[UserA] user = $pool group = $pool listen = /var/www/run/php-fpm-$pool.sock listen.owner = www listen.group = www listen.mode = 0660 chroot = /var/www access.log = /var/www/$pool/logs/phpfpm-access-$pool.log slowlog = /var/www/$pool/logs/phpfpm-slowlog-$pool.log php_admin_value[session.save_path] = /$pool/tmp php_admin_value[error_log] = /$pool/logs/php-error-$pool.log php_admin_value[upload_tmp_dir] = /$pool/tmp php_admin_value[open_basedir] = /$pool Code:
DisableForwarding yes Subsystem sftp internal-sftp Match User UserA ChrootDirectory /var/www ForceCommand internal-sftp if UserA or UserB login from sftp any thing is secure. if UserA or UserB run php script any thing is secure. hmmm is true? Last edited by jonsec; 21st August 2019 at 02:33 AM. |
|
||||
Thank you for explaining. I believe I understand that:
I'm also concerned about denial of service or other forms of interference possible with a shared DBMS and a shared PHP instance. |
|
|||
Quote:
|
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Issues with PuTTY + ForceCommand + ChrootDirectory | sklv | OpenBSD General | 6 | 14th May 2019 02:19 AM |
Sftp Bus error: 10 (core dumped) | smokem | FreeBSD General | 0 | 21st April 2009 12:45 PM |
List of users connected by sftp. | amscotti | OpenBSD General | 7 | 1st April 2009 07:26 PM |
PureFTP + TLS / or SFTP | plexter | OpenBSD Security | 11 | 6th October 2008 10:32 PM |
build a sftp server | milo974 | OpenBSD General | 9 | 26th September 2008 11:09 AM |