disable_symlinks if_not_owner; # off | on | if_not_owner
Default value is off ! Setting it to if_not_owner is a good security improve and I recommend it.
Also don't miss php-fpm chroot feature ! You can make a chroot jail for working fpm pool by extracting an OS-template to chrooted folder ! (Select the template which matches your main OS). I had to run the following additional commands to make the dns resolving and php working correctly in chrooted jail :
cd jail-path
mknod -m 666 dev/null c 1 3
mknod -m 666 dev/zero c 1 5
mknod -m 666 dev/zero c 1 5
mknod -m 666 dev/random c 1 8
mknod -m 666 dev/urandom c 19
mknod -m 666 dev/urandom c 19
cp /lib/*dns* lib
cp /lib64/*dns* lib64
echo "nameserver 8.8.8.8" > etc/resolv.conf
chown -R user:user .
No comments:
Post a Comment