Home > Backend Development > PHP Tutorial > Detailed explanation of PHP-FPM's Chroot execution environment, detailed explanation of php-fpmchroot_PHP tutorial

Detailed explanation of PHP-FPM's Chroot execution environment, detailed explanation of php-fpmchroot_PHP tutorial

Release: 2016-07-13 09:45:13
1435 people have browsed it

Detailed explanation of the Chroot execution environment of PHP-FPM, detailed explanation of php-fpmchroot

Setting up chroot in PHP-FPM has a good isolation effect and improves system security, but it must It is a bit difficult to establish a reasonable PHP-FPM Chroot environment, which is more troublesome than using tools such as debootstrap. Here, by referring to relevant information, the Chroot execution environment of PHP-FPM is sorted out and shared with everyone.

This article takes Ubuntu 14.04.2 as an example. php-fpm uses the PHP5.6 version provided by ppa:ondrej/php5-5.6, which should be consistent with the php-fpm and system directory structure of the system and the Debian system. of. Please adjust CentOS yourself.

The chroot environment configuration of php-fpm is not related to the server front-end used, nor does it require Apache/Nginx to perform chroot. Of course that's safer - and more complicated.

1. Establish directory structure

The directory selection for chroot is /var/www/chroot, and the page file is placed in /var/www/chroot/public.

Execute the following command to establish the basic directory structure:

mkdir -p /var/www/chroot/
cd /var/www/chroot
mkdir -p public bin dev tmp usr/sbin/ usr/share/zoneinfo/ var/run/nscd/ var/lib/php5/sessions var/www
cp -a /dev/zero /dev/urandom /dev/null dev/ #注3
chmod --reference=/tmp tmp/
chmod --reference=/var/lib/php5/sessions var/lib/php5/sessions #注4
chown -R root:root .     #注2
chown -R www-data:www-data public/ #注2
cd var/www
ln -s ../.. chroot     #注1
Copy after login

The following is the directory structure at this time, and some new things will be added later:

├── bin
├── dev
│ ├── null
│ ├── urandom
│ └── zero
├── public
├── tmp
├── usr
│ ├── sbin
│ └── share
│ └── zoneinfo
└── var
 ├── lib
 │ └── php5
 │ └── sessions
 ├── run
 │ └── nscd
 └── www
 └── chroot -> ../.. #注1

Copy after login

Note 1: This soft link is used to solve the problem that the SCRIPT_FILENAME passed to php-fpm by Apache/nginx cannot find the file after entering the chroot (accessing the php page returns "File not found").

Taking nginx as an example, SCRIPT_FILENAME is usually set to $document_root$fastcgi_script_name, and the script path passed to php-fpm is /var/www/chroot/public/index.php. Since php-fpm is in a chroot environment, the path it actually tries to access becomes /var/www/chroot /var/www/chroot/public/index.php, which of course does not exist.

So use a soft connection to link /var/www/chroot in the chroot environment to the root directory, and you can access the script normally.

Of course you can also set SCRIPT_FILENAME to /public$fastcgi_script_name . However, such hard coding is not conducive to configuration migration and can only be used in a chroot environment. If you switch back to a non-chroot environment, you need to modify the configuration. So it is not recommended to do this. (By the way, there are many old tutorials that do not use $document_root and directly hardcode the root directory, which is of course not advisable)

Note 2: The chroot environment is not 100% safe. Since the execution permission of php-fpm in a chroot environment is www-data, it is still recommended to set the owner of non-essential directories to root to reduce unnecessary access permissions. chroot does not equal security, refer to some principles listed in chroot best practices. From a safer perspective, it is best to remove the read and write permissions of bin, lib, sbin and other directories, leaving only executable permissions, but there is no big difference...

Note 3: In addition to copying the file content, cp -a will also copy the file permissions, mode and other information. It can be easily used to directly copy the three key device files zero, urandom and null. mknod seems to be a more reliable method, but cp -a seems to be fine for me to use.

Note 4: chmod --reference=XXX will refer to XXX's permissions to set subsequent permissions. I won’t mention tmp. The key is that the following var/lib/php5/sessions is the directory where PHP stores session files, and www-data needs to have read and write permissions. It is recommended to take a look at it after setting it up. Of course there will be testing later.

2.PHP-FPM configuration

Create a new php-fpm execution pool to build a chroot environment. It is not recommended to modify php-fpm.conf directly, because this takes effect globally. If there are multiple PHP sites, they will share a chroot environment.

In fact, many php-fpm tutorials ignore the configuration of the php-fpm pool, causing many people to share a set of configurations for all sites on a server, especially a set of php.ini configurations. In fact, Unreasonable. The pool should be created separately according to the needs of the site and the parameters should be adjusted in it.

Create a new chroot.conf under /etc/php5/fpm/pool.d/ (note that it must end with .conf to be called by php-fpm.conf):

user = www-data
group = www-data
listen = /var/run/php-chroot.sock
listen.owner = www-data
listen.group = www-data

pm = dynamic
pm.max_children = 5
pm.start_servers = 1
pm.min_spare_servers = 1
pm.max_spare_servers = 3

chroot = /var/www/chroot
chdir = /public
;security.limit_extensions = .php
php_flag[display_errors] = on
php_value[date.timezone] = Asia/Hong_Kong
;php_admin_value[session.gc_probability] = 1
;php_admin_value[open_basedir] = "/tmp/:/public/:/var/www/chroot/public/"

Copy after login

The previous parameters are relatively familiar. You only need to simply set chroot to the configured environment root directory to enable chroot. After testing it by executing php5-fpm -t, use service php5-fpm reload to enable the new pool. Of course, the backend must be set up in the corresponding configuration of Apache/nginx.

Mention the last few lines. The fourth to last line turns on display_errors so that you can test the function of PHP under chroot later. Remember to comment it out after testing.

Set session.gc_probability to allow the PHP process to delete and recycle the session by itself. Normally, the session is cleaned by the cron task added by PHP, but it seems that PHP will not automatically clean the session in the chroot environment. Of course, you can also add an automatically executed script under cron.d to clean it yourself, so there is no need to turn on this option.

3. Repair various functions of PHP in Chroot environment

Create a new test.php under /var/www/chroot/public and write the following content:

Copy code The code is as follows:
header( "Content-Type: text/plain" );
echo( gethostbyname( "localhost" )."n" );
print_r( getdate() );
mail( "your@address", "subject", "message" );


访问上面的测试页面,提示No such directory or file或者Permission denied说明session配置不正确。 gethostbyname 返回的不是127.0.0.1或者::1,则说明DNS解析没有生效。提示 timezone database is corrupt 之类的,说明时间和日期有错误。mail()也会有各种错误提示。


3.1 域名解析/时区等问题



nscd是(e)glibc的“Name Service Caching Daemon”。除了处理gethostbyname()这样的函数外,也处理getpwnam()等需要访问/etc/passwd的函数。(e)glibc访问nscd的unix socket, /var/run/nscd/socket 来通过nscd获取这些内容,如果不能连接到nscd则转而自行进行解析。

也就是说,只要装好nscd,并且让chroot环境里的程序能够访问到socket连接上nscd,就可以把chroot环境内的解析请求转由chroot外顺利进行了。由于/var/run一般是tmpfs,硬链接无法跨文件系统使用,所以可以使用 mount -bind 来把/var/run/nscd目录mount到chroot环境中同样的位置去即可。

同样的道理,用 mount -bind 把/usr/share/zoneinfo目录mount到chroot环境里,配合在php-fpm的pool里设置date.timezone就可以非常直接而暴力的解决时区问题。

先执行 apt-get install nscd 安装nscd,然后为了能够让 mount -bind 自动执行,把下面的脚本存为 /etc/init.d/php-chroot

# Provides:  php5-fpm-chroot-setup
# Required-Start: nscd
# Required-Stop:
# Default-Start:  2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Bind-mounts needed sockets and data into a php-fpm-chroot
DIRS="/var/run/nscd /usr/share/zoneinfo"
case "$1" in
 $0 stop 2>/dev/null
 for d in $DIRS; do
  mkdir -p "${CHROOT}${d}"
  mount --bind -o ro "${d}" "${CHROOT}${d}"
 for d in $DIRS; do
  umount "${CHROOT}${d}"
 echo "Usage: $N {start|stop}" >&2
 exit 1
exit 0

Copy after login

执行 update-rc.d php-chroot defaults 来让脚本在启动时执行。如果有多个chroot环境以及多个目录需要bind-mount,可以自行添加一个循环改写。

这个方法的好处是简单易行,不需要拷贝大量etc下的配置文件和库文件到chroot环境中。使用nscd在解决域名访问的问题过程中也顺道解决了/etc/passwd和/etc/group。但是bind-mount和nscd的安全性尚没有确切的说法,只能说so far so good。另外 mount -bind 会消耗一定的系统资源,有评论称大约一个mount 大概会消耗500k内存,所以对于大量的chroot环境(几百个)不见得适合。





其它常用配置。/etc/passwd和/etc/group有时也是需要的,但是内容 似乎可以伪造 ,至少可以选择性的填写不用完全拷贝主系统里的。


复制代码 代码如下:
ps aux | grep php | grep 'chroot' #chroot是php的pool名


strace -p 进程pid -o chroot1.txt& #有多个子进程就修改pid执行多次,输出改为chroot2/3.txt存到不同文件里


3.2 修复mail()




system()调用产生的命令行是 /bin/sh -c command 。在chroot环境中调用外部程序必须存在/bin/sh,一个基本的shell。通常选择拷贝dash:

复制代码 代码如下:
#cp /bin/dash /var/www/chroot/bin/sh

注意运行 ldd /bin/dash 观察需要拷贝哪些库文件。我这里的回显是:

复制代码 代码如下:
ldd /bin/dash
linux-vdso.so.1 => (0x00007fff779fe000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f165620f000)
/lib64/ld-linux-x86-64.so.2 (0x00007f16567fc000)



前面那句 “必须存在/bin/sh,一个基本的shell” 其实并不是真的,对于mail()只要有一个能接受-c参数调用后面的命令的程序就可以了。所以Kienzl写了这样一个程序:

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#define MAXARG 64
int main( int argc, char* const argv[] ) {
 char* args[ MAXARG ] = {};
 if( argc < 3 || strcmp( argv[1], "-c" ) != 0 ) {
 fprintf( stderr, "Usage: %s -c <cmd>\n", argv[0] ); 
 return 1;
 char* token;
 int i = 0; 
 char* argStr = strdup( argv[2] );
 while( ( token = strsep( &argStr, " " ) ) != NULL ) {
  if( token && strlen( token ) )
  args[ i++ ] = token;
  if( i >= MAXARG )
  return 2;
 return execvp( args[0], args );

Copy after login

保存成sh.c执行: gcc sh.c -o sh -static 然后把sh拷贝到chroot环境的/bin目录下即可。





复制代码 代码如下:
wget http://www.acme.com/software/mini_sendmail/mini_sendmail-1.3.8.tar.gz
tar zxf mini_sendmail-1.3.8.tar.gz
cd mini_sendmail-1.3.8
cp mini_sendmail /var/www/chroot/usr/sbin/sendmail





wget ftp://ftp.debian.org/debian/pool/main/s/ssmtp/ssmtp_2.64.orig.tar.bz2
tar jxf ssmtp_2.64.orig.tar.bz2
cd ssmtp_2.64
./configure --prefix=/ #别忘了prefix
make     #千万别手抖make install
cp ssmtp /var/www/chroot/usr/sbin
mkdir -p /var/www/chroot/etc/ssmtp
cp ssmtp.conf revaliases /var/www/chroot/etc/ssmtp #配置文件
cd /var/www/chroot/usr/sbin
ln -s ssmtp sendmail
Copy after login



root=admin@example.com  #其实这行好像可以乱写

mailhub=smtp.example.com  #smtp服务器地址
hostname=myexample.com  #此处的hostname似乎会用于产生默认的“root@myexample.com”形式的发件人地址
AuthUser=admin@example.com #此处使用真实的登录用户名
AuthPass=password   #密码
FromLineOverride=YES   #允许改写发件人

Copy after login


复制代码 代码如下:
# 本地用户名:发件人地址:smtp服务器[:端口(默认25)]


复制代码 代码如下:
chroot /var/www/chroot /bin/sh #此时/bin/sh一定要是真正的shell
echo "Subject: test"|sendmail -v username@server.com #替换邮件地址为自己的



MySQL的连接可能会遇到问题 ,因为如果填写localhost的话php会试图寻找MySQL的unix socket来访问mysqld。填写127.0.0.1通过TCP连接就没有问题了

├── bin
│ └── sh
├── dev
│ ├── null
│ ├── urandom
│ └── zero
├── etc
│ └── ssmtp
│ ├── revaliases
│ └── ssmtp.conf
├── lib
│ └── libc.so.6
├── lib64
│ └── ld-linux-x86-64.so.2
├── public
├── tmp
├── usr
│ ├── sbin
│ │ ├── sendmail -> ssmtp
| │ └── ssmtp
│ └── share
│ └── zoneinfo
│  ├── 大量时区的目录结构
│  └── zone.tab
└── var
 ├── lib
 │ └── php5
 │ └── sessions
 ├── run
 │ └── nscd
 │ ├── nscd.pid
 │ └── socket
 └── www
 └── chroot -> ../..
Copy after login


www.bkjia.comtruehttp://www.bkjia.com/PHPjc/1042681.htmlTechArticlePHP-FPM之Chroot执行环境详解,php-fpmchroot详解 在PHP-FPM中设立chroot,有很好的隔离作用,提高系统安全性,但是要想建立一个合理的PHP-FPM Chr...
Related labels:
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Popular Tutorials
Latest Downloads
Web Effects
Website Source Code
Website Materials
Front End Template