PHP-FPM's chroot and chdir directory

php-fpm chroot

I am setting up php-fpm with chrooting enabled. Now I see that there are two options, and I want to know what the exact difference is.

The setup has:

chroot = /var/www/domains/domain.tld/
; Chdir to this directory at the start. This value must be an absolute path.
; Default Value: current directory or / when chroot
chdir = /docroot/

Why are there two different locations here, and which path is php allowed to access. Can the php website access /var/www/domains/domain.tld/, or can it only access files withing the docroot directory.

===

Maybe there is some concrete advice for me. I want to have a setup like this:

webroot location: /var/www/

domain.com/
 |---conf/
 |    |--nginx.conf
 |    |--php-fpm.conf
 |
 |---ssl/
 |---logs/
 |---session/
 |---domains/
       |---www/
       |---app/
       |---dev/

Now here the php-fpm settings would be:

chroot = /var/www/domain.com/
chdir  = /domains/www

Now the main question here is, will the application located in the www subdomain be able to access the files in dev or app. Or even the files located in session, which is the session save path, or the other folders such as ssl and logs.


  • Chroot sets the 'root' directory - you cannot navigate above the root directory.
  • Chdir simply changes the starting directory - it is still possible to navigate to other directories (including those above this).
    • If you don't specify a chroot path, then the 'real' root applies - and you specify an absolute chdir.
    • If you do specify a chroot path, then you specify a path relative to the chroot'd path (which redefines the root directory).

The settings you have proposed seem quite fine.

  • The starting path would be the chroot path + the chdir path
  • The app will be able to access all files under the chroot path (unless there are other restrictions - e.g. php_openbasedir, permissions, etc) in place.

As a side note - your php-application will also have access to your nginx.conf and php-fpm.conf based on the document structure you have shown - which seems like something you may want to change (at least making the files read-only to that user).

Related

How to resize RAID1 array with mdadm?
What are some pitfalls of hosting a website from home?
Port Forwarding from Host to Guest with libvirt 0.8.3 Using KVM on Ubuntu
How to automatically start VM created by virt-manager?
Deleting a UNIX directory with a hyphen in the name
Outlook security alert - The name on the security certificate is invalid or does not match the name of the site
Non-responsive apache + mod_wsgi after installing scipy
How can I force other users to log out?
How can I detect Slowloris?
Why does Window's SSL Cipher-Suite get restricted under certain SSL certificates?
How do I bulk reset passwords for all users in an OU?
Why is my "volume bytes used" always increasing on my Amazon Aurora cluster?