I'm using php5-fpm on ubuntu 12.04, and have separate pools and chroot locations for each domain hosted with nginx. However, I know that some system files need to be directly in the jail, but which ones do I need?
I know that dns resolution isn't working currently, and I have read a few articles that say I need to copy some of the system core files into the directory, but they never really go into details of which ones I actually need to copy into there.
I know there is something for dns, timezone (php seems to error for any time/date related functions).
And I was just wondering about the use of chroot in general. Is it even worth using it or would it be more secure to have a separate partition for each domain, or even just having a separate vm for each domain (which would cost more resources)?
I, too, was searching for an answer for this. After a research the answer does not seem to be that simple.
Something is quite obvious because it's used for nearly everything. These files here are for resolving names, ports and the timezone.
- /etc/hosts
- /etc/nsswitch.conf
- /etc/resolv.conf
- /etc/services
- /etc/localtime
But there are much more things you'd need depending on the extensions you have installed and how PHP is compiled. I don't know if you need them, but just in case you need it, you can get a list of libraries PHP uses by using the command ldd and your PHP-binary as argument:
ldd /usr/bin/php5
Depending on the path your extensions are in, you can use the same command to get the libraries require:
ldd /usr/lib/php5/20100525/*
Now you just have to watch out for other executables you use in your PHP-config file. In my case I found a reference to sendmail.
I didn't got it fully working for me ... I still have some issues resolving names using curl. But just so far to get a start :)
Sources:
- http://www.cyberciti.biz/tips/howto-setup-lighttpd-php-mysql-chrooted-jail.html
- http://forum.nginx.org/read.php?3,229450,229450
EDIT: Here's a script I got from someone at IRC. I haven't tried it, but he said it works quite well ... http://pastebin.com/index/HyE87bcF
I create my Debian/Ubuntu chroots with a set of scripts that use deboostrap to create the chroots, so all the libraries are there and I don't have to figure out what to install. It might be more than you want, but it might get you started. I routinely do development work in chroots created by my scripts and haven't had any problems (yet). Good luck!
https://github.com/vtonehundred/vroot
