How to Run PHP-Fpm as Root

How to run php-fpm as root

See:

# php-fpm --help
...
 -R, --allow-to-run-as-root
               Allow pool to run as root (disabled by default)

Set root for PHP in nginx

Since you are running php-fpm, you can set chroot in the config and restrict it to a certain directory. See the below thread for more details

https://serverfault.com/questions/344538/php-fpms-chroot-and-chdir-directory

chroot string

Chroot to this directory at the start. This value must be defined as an absolute path. When this value is not set, chroot is not used.

chdir string

Chdir to this directory at the start. This value must be an absolute path. Default value: current directory or / when chroot.

https://secure.php.net/manual/en/install.fpm.configuration.php

So you will add the below to the your php-fpm config

chroot=/var/www/mydomain.com
chdir=/

nginx and php-fpm socket owner

Config files FPM will read

/etc/php-fpm.conf is the config file FPM will read (on CentOS). If you want FPM to read other config files as well, you need to tell it that.

You can do this by placing the line include=/etc/php-fpm.d/*.conf at the bottom of /etc/php-fpm.conf. It will then read everything in the directory /etc/php-fpm.d (that ends with .conf).

Then place the global directives and the include line in /etc/php-fpm.conf. This could look something like this:

[global]

pid = /var/run/php-fpm/php-fpm.pid
error_log = /var/log/php5-fpm.log

include=/etc/php-fpm.d/*.conf

And have a separate file in /etc/php-fpm.d for each pool.

Example /etc/php-fpm.d/global.conf:

[global-pool]

user = www-data
group = www-data

listen = /var/run/php-fcgi.sock

listen.owner = www-data
listen.group = www-data
listen.mode = 0660

pm = dynamic
pm.start_servers = 1
pm.max_children = 5
pm.min_spare_servers = 1
pm.max_spare_servers = 5

Example /etc/php-fpm.d/vhostname-0.conf:

[vhostname-php-fcgi-0]

user = www-data
group = www-data

listen = /var/run/php-fcgi-vhostname-php-fcgi-0.sock

listen.owner = www-data
listen.group = www-data
listen.mode = 0660

pm = dynamic
pm.max_children = 5
pm.start_servers = 1
pm.min_spare_servers = 1
pm.max_spare_servers = 5

Directives to pay attention to

• Every pool should use a different socket. If you have multiple pools using the same socket you'll get issues.

• The directives user and group control the user/group which the FPM process for that pool will run as. These do not specify the user/group of the socket.

• The directives listen.owner and listen.group control the user/group the socket uses for that pool.

• The pool directives (like listen.*) will only work for pools. So you can't use them in the global section, you have to specify them for each pool.

Socket permissions

The permissions 0660 are perfectly fine when listen.owner and listen.group are the same as the webserver. You could even use 0600, but one might argue that any user that can operate under the same group as the webserver can also use the socket, so I would use 0660.

Nginx/PHP-FPM use more than one webroot

This configuration works :)

server {

    listen 80;
    server_name _;

    index index.php;
    rewrite_log on;

    root /var/www/html;

    location / {

        try_files $uri /public/index.php$is_args$args;
    }

    location ^~ /api {

        try_files $uri /api/index.php$is_args$args;

        location ~ \.php {

            include snippets/fastcgi-php.conf;
            fastcgi_pass unix:/run/php/php7.1-fpm.sock;
        }

    }

    location ~ \.php {

        include snippets/fastcgi-php.conf;
        fastcgi_pass unix:/run/php/php7.1-fpm.sock;
    }
}

---

Related Topics