On 2021-06-10, Gustavo Rios <rios.gust...@gmail.com> wrote: > Hi folks! > > I am planning a web serve using openbsd as the os and using php. My > question is: how to avoid any given user from implement an php script that > will read some else file, since everything will run as the web server user > and group ? > > thanks a lot. >
The PHP scripts don't need to run as the same user and group. Use different application pools in php-fpm.conf listening on different sockets, and have the web server use the relevant socket for the website. You can even chroot them separately if you think that will help. e.g. ----------- [global] error_log = syslog syslog.facility = daemon log_level = notice [user1] user = user1 group = user1 listen = /var/www/run/php-fpm.user1.sock pm = ondemand pm.max_children = 20 pm.process_idle_timeout = 30s chroot = /var/www [user2] user = user2 group = user2 listen = /var/www/run/php-fpm.user2.sock pm = ondemand pm.max_children = 20 pm.process_idle_timeout = 30s chroot = /var/www ----------- Quick warning to head off a possible problem you might run into in the future though; you will need to make sure that the web server (not the PHP interpreter) has read access to those files which _it_ needs (e.g. static content). One way to do that is to add the www user to the group for each user account (e.g. user1:*:1001:www, user2:*:1002:www, in /etc/group). That works nicely for small setups but you will run into a wall after a while because on OpenBSD a user account can only be a member of up to 16 supplemental groups. (There are other ways to handle this e.g. running multiple web server processes, but with a bunch more complication).
