Hi guys,
I am trying to teach myself how to setup a nginx and chrooted php-fpm environment in Debian 8. I specifically want to ask a question on the tmp-directory for the php-fpm chroot. So I chrooted the PHP-FPM pool worker who is handling my PHP website into /var/www/mywebsite. ### /etc/php5/fpm/pool.d/mywebsite.conf ``` # ... chroot=/var/www/mywebsite # ... ``` This directory has a subdirectory htdocs/ in which the website's php files are, like index.php and so on. Amongst other things, the PHP-FPM worker needs access to /tmp. So I bind-mounted /tmp into /var/www/mywebsite/tmp. `mount --bind /tmp /var/www/mywebsite/tmp` *Let me tell you at this moment that this is the first time I used the mount command, so I think I understand what `mount --bind` is doing and I believe this would be the preferred choice to give the PHP-FPM worker access to the tmp directory, but I really have no experience if that is the way to go. So if you see something odd, please let me know.* This solution did indeed work. However, I am in doubt if this is really a secure way to do it. If I have a pool of PHP-FPM applications, they would all share the same tmp directory. I can only imagine this is a security problem. So I was looking into a way on how that particular PHP-FPM worker would have something like a private tmp directory. And I found something. I read about [PrivateTmp](https://access.redhat.com/blogs/766093/posts/1976243) on the Red Hat blog and this is possible in Debian 8, too. I added PrivateTmp=true in the configuration located at `/etc/systemd/system/multi-user.target.wants/php5-fpm.service` and now I see a new folder `systemd-private-90d6b4c0238b41199e49bcf031b45183-php5-fpm.service-kyXS8P/` in /tmp. However, when I create a file in /tmp as root and I run a php-script with <?php scandir("/tmp"); ?> using the chrooted php-fpm, I can still see that test-file created by root, and even read and write to it. I also see that systemd-private-... folder. I am a bit at a loss here. I have several questions: 1. Should I even care about giving each PHP-FPM worker a private tmp directory? 2. How would I best create a private tmp directory for each PHP-FPM worker? 3. If 1 and two would be answered with yes, how do I get PrivateTmp=true to work, as it seems like the least time consuming and most uniform solution? Cheers Stadtpirat
