Sunday, December 23, 2012

Security improvement : nginx symlink and php-fpm chroot features


I've found the new directive in nginx old documentation :

disable_symlinks if_not_owner; # off | on | if_not_owner

Default value is off ! Setting it to if_not_owner is a good security improve and I recommend it.

Also don't miss php-fpm chroot feature ! You can make a chroot jail for working fpm pool by extracting an OS-template to chrooted folder ! (Select the template which matches your main OS). I had to run the following additional commands to make the dns resolving and php working correctly in chrooted jail :

cd jail-path
mknod -m 666 dev/null c 1 3
mknod -m 666 dev/zero c 1 5
mknod -m 666 dev/random c 1 8
mknod -m 666 dev/urandom c 19
cp /lib/*dns* lib
cp /lib64/*dns* lib64
echo "nameserver 8.8.8.8" > etc/resolv.conf
chown -R user:user .

No comments:

Post a Comment