On 2021-06-10, Gustavo Rios wrote:
> Hi folks!
>
> I am planning a web serve using openbsd as the os and using php. My
> question is: how to avoid any given user from implement an php script that
> will read some else file, since everything will run as the web server user
> and group ?
>
> thanks a lot.
>
The PHP scripts don't need to run as the same user and group. Use different
application pools in php-fpm.conf listening on different sockets, and have
the web server use the relevant socket for the website. You can even chroot
them separately if you think that will help.
e.g.
---
[global]
error_log = syslog
syslog.facility = daemon
log_level = notice
[user1]
user = user1
group = user1
listen = /var/www/run/php-fpm.user1.sock
pm = ondemand
pm.max_children = 20
pm.process_idle_timeout = 30s
chroot = /var/www
[user2]
user = user2
group = user2
listen = /var/www/run/php-fpm.user2.sock
pm = ondemand
pm.max_children = 20
pm.process_idle_timeout = 30s
chroot = /var/www
---
Quick warning to head off a possible problem you might run into in the
future though; you will need to make sure that the web server (not the
PHP interpreter) has read access to those files which _it_ needs (e.g.
static content). One way to do that is to add the www user to the
group for each user account (e.g. user1:*:1001:www, user2:*:1002:www,
in /etc/group). That works nicely for small setups but you will run
into a wall after a while because on OpenBSD a user account can only
be a member of up to 16 supplemental groups. (There are other ways
to handle this e.g. running multiple web server processes, but with
a bunch more complication).