PHP-FPM's chroot and chdir directory

I am setting up php-fpm with chrooting enabled. Now I see that there are two options, and I want to know what the exact difference is.

The setup has:

chroot = /var/www/domains/domain.tld/
; Chdir to this directory at the start. This value must be an absolute path.
; Default Value: current directory or / when chroot
chdir = /docroot/

Why are there two different locations here, and which path is php allowed to access. Can the php website access /var/www/domains/domain.tld/, or can it only access files withing the docroot directory.

===

Maybe there is some concrete advice for me. I want to have a setup like this:

webroot location: /var/www/

domain.com/
 |---conf/
 |    |--nginx.conf
 |    |--php-fpm.conf
 |
 |---ssl/
 |---logs/
 |---session/
 |---domains/
       |---www/
       |---app/
       |---dev/

Now here the php-fpm settings would be:

chroot = /var/www/domain.com/
chdir  = /domains/www

Now the main question here is, will the application located in the www subdomain be able to access the files in dev or app. Or even the files located in session, which is the session save path, or the other folders such as ssl and logs.


  • Chroot sets the 'root' directory - you cannot navigate above the root directory.
  • Chdir simply changes the starting directory - it is still possible to navigate to other directories (including those above this).
    • If you don't specify a chroot path, then the 'real' root applies - and you specify an absolute chdir.
    • If you do specify a chroot path, then you specify a path relative to the chroot'd path (which redefines the root directory).

The settings you have proposed seem quite fine.

  • The starting path would be the chroot path + the chdir path
  • The app will be able to access all files under the chroot path (unless there are other restrictions - e.g. php_openbasedir, permissions, etc) in place.

As a side note - your php-application will also have access to your nginx.conf and php-fpm.conf based on the document structure you have shown - which seems like something you may want to change (at least making the files read-only to that user).