PHP-FPM's chroot and chdir directory
I am setting up php-fpm with chrooting enabled. Now I see that there are two options, and I want to know what the exact difference is.
The setup has:
chroot = /var/www/domains/domain.tld/
; Chdir to this directory at the start. This value must be an absolute path.
; Default Value: current directory or / when chroot
chdir = /docroot/
Why are there two different locations here, and which path is php allowed to access. Can the php website access /var/www/domains/domain.tld/
, or can it only access files withing the docroot
directory.
===
Maybe there is some concrete advice for me. I want to have a setup like this:
webroot location: /var/www/
domain.com/
|---conf/
| |--nginx.conf
| |--php-fpm.conf
|
|---ssl/
|---logs/
|---session/
|---domains/
|---www/
|---app/
|---dev/
Now here the php-fpm settings would be:
chroot = /var/www/domain.com/
chdir = /domains/www
Now the main question here is, will the application located in the www
subdomain be able to access the files in dev
or app
. Or even the files located in session, which is the session save path, or the other folders such as ssl and logs.
- Chroot sets the 'root' directory - you cannot navigate above the root directory.
- Chdir simply changes the starting directory - it is still possible to navigate to other directories (including those above this).
- If you don't specify a chroot path, then the 'real' root applies - and you specify an absolute chdir.
- If you do specify a chroot path, then you specify a path relative to the chroot'd path (which redefines the root directory).
The settings you have proposed seem quite fine.
- The starting path would be the chroot path + the chdir path
- The app will be able to access all files under the chroot path (unless there are other restrictions - e.g. php_openbasedir, permissions, etc) in place.
As a side note - your php-application will also have access to your nginx.conf and php-fpm.conf based on the document structure you have shown - which seems like something you may want to change (at least making the files read-only to that user).