How do I mount a private temp folder for PHP-FPM in chroot?

To: "debian-user@lists.debian.org" <debian-user@lists.debian.org>
Subject: How do I mount a private temp folder for PHP-FPM in chroot?
From: - - <stadtpirat11@ymail.com>
Date: Wed, 2 Nov 2016 18:11:13 +0000 (UTC)
Message-id: <[🔎] 1736082457.526190.1478110273921@mail.yahoo.com>
Reply-to: - - <stadtpirat11@ymail.com>
In-reply-to: <1135937468.2111238.1478035816588@mail.yahoo.com>
References: <1135937468.2111238.1478035816588.ref@mail.yahoo.com> <1135937468.2111238.1478035816588@mail.yahoo.com>

Hi guys,



I am trying to teach myself how to setup a nginx and chrooted php-fpm environment in Debian 8.
I specifically want to ask a question on the tmp-directory for the php-fpm chroot.

So I chrooted the PHP-FPM pool worker who is handling my PHP website into /var/www/mywebsite.

### /etc/php5/fpm/pool.d/mywebsite.conf
```
# ...
chroot=/var/www/mywebsite
# ...
```


This directory has a subdirectory htdocs/ in which the website's php files are, like index.php and so on.

Amongst other things, the PHP-FPM worker needs access to /tmp. So I bind-mounted /tmp into /var/www/mywebsite/tmp.


`mount --bind /tmp /var/www/mywebsite/tmp`

*Let me tell you at this moment that this is the first time I used the mount command, so I think I understand what `mount --bind` is doing and I believe this would be the preferred choice to give the PHP-FPM worker access to the tmp directory, but I really have no experience if that is the way to go. So if you see something odd, please let me know.*


This solution did indeed work. However, I am in doubt if this is really a secure way to do it. If I have a pool of PHP-FPM applications, they would all share the same tmp directory. I can only imagine this is a security problem. So I was looking into a way on how that particular PHP-FPM worker would have something like a private tmp directory. And I found something.


I read about [PrivateTmp](https://access.redhat.com/blogs/766093/posts/1976243) on the Red Hat blog and this is possible in Debian 8, too. I added PrivateTmp=true in the configuration located at `/etc/systemd/system/multi-user.target.wants/php5-fpm.service` and now I see a new folder `systemd-private-90d6b4c0238b41199e49bcf031b45183-php5-fpm.service-kyXS8P/` in /tmp. However, when I create a file in /tmp as root and I run a php-script with <?php scandir("/tmp"); ?> using the chrooted php-fpm, I can still see that test-file created by root, and even read and write to it. I also see that systemd-private-... folder.

I am a bit at a loss here. I have several questions:

1. Should I even care about giving each PHP-FPM worker a private tmp directory?

2. How would I best create a private tmp directory for each PHP-FPM worker?
3. If 1 and two would be answered with yes, how do I get PrivateTmp=true to work, as it seems like the least time consuming and most uniform solution?

Cheers

Stadtpirat

Reply to:

Prev by Date: Re: From "physical install DVD's" to "special install USB flash drive" - HOW?
Next by Date: AW: How do I mount a private temp folder for PHP-FPM in chroot?
Previous by thread: Re: From "physical install DVD's" to "special install USB flash drive" - HOW?
Next by thread: AW: How do I mount a private temp folder for PHP-FPM in chroot?
Index(es):
- Date
- Thread