php-fpm chroot support

Author: JSroka7

install/sql/incremental/upd_dev_collection.sql

@@ -1,3 +1,4 @@
 ALTER TABLE `web_domain` ADD COLUMN `ssl_letsencrypt_exclude` enum('n','y') NOT NULL DEFAULT 'n' AFTER `ssl_letsencrypt`;
 ALTER TABLE `remote_user` ADD `remote_access` ENUM('y','n') NOT NULL DEFAULT 'y' AFTER `remote_password`;
 ALTER TABLE `remote_user` ADD `remote_ips` TEXT AFTER `remote_access`;
+ALTER TABLE `web_domain` ADD `php_fpm_chroot` enum('n','y') NOT NULL DEFAULT 'n' AFTER `php_fpm_use_socket`;

install/sql/ispconfig3.sql

@@ -1963,6 +1963,7 @@ CREATE TABLE `web_domain` (
   `apache_directives` mediumtext,
   `nginx_directives` mediumtext,
   `php_fpm_use_socket` ENUM('n','y') NOT NULL DEFAULT 'y',
+  `php_fpm_chroot` ENUM('n','y') NOT NULL DEFAULT 'n',
   `pm` enum('static','dynamic','ondemand') NOT NULL DEFAULT 'dynamic',
   `pm_max_children` int(11) NOT NULL DEFAULT '10',
   `pm_start_servers` int(11) NOT NULL DEFAULT '2',

interface/web/sites/form/web_vhost_domain.tform.php

@@ -766,6 +766,12 @@
 				'default' => 'n',
 				'value'  => array(0 => 'n', 1 => 'y')
 			),
+            'php_fpm_chroot' => array (
+                'datatype' => 'VARCHAR',
+                'formtype' => 'CHECKBOX',
+                'default' => 'n',
+                'value'  => array(0 => 'n', 1 => 'y')
+            ),
 			'pm' => array (
 				'datatype' => 'VARCHAR',
 				'formtype' => 'SELECT',

interface/web/sites/lib/lang/en_web_vhost_domain.lng

@@ -29,6 +29,7 @@ $wb['vhost_type_txt'] = 'VHost Type';
 $wb['hd_quota_txt'] = 'Harddisk Quota';
 $wb['traffic_quota_txt'] = 'Traffic Quota';
 $wb['cgi_txt'] = 'CGI';
+$wb['php_fpm_chroot_txt'] = 'PHP-FPM Chroot';
 $wb['ssi_txt'] = 'SSI';
 $wb['errordocs_txt'] = 'Own Error-Documents';
 $wb['subdomain_txt'] = 'Auto-Subdomain';

interface/web/sites/templates/web_vhost_domain_advanced.htm

@@ -57,6 +57,12 @@ <h1><tmpl_var name="list_head_txt"></h1>
                         {tmpl_var name='php_fpm_use_socket'}
                     </div>
                 </div>
+                <div class="form-group nginx">
+                    <label class="col-sm-3 control-label">{tmpl_var name='php_fpm_chroot_txt'}</label>
+                    <div class="col-sm-9">
+                        {tmpl_var name='php_fpm_chroot'}
+                    </div>
+                </div>
                 <div class="form-group">
                     <label for="pm" class="col-sm-3 control-label">{tmpl_var name='pm_txt'}</label>
                     <div class="col-sm-9"><select name="pm" id="pm" class="form-control">

server/conf/nginx_vhost.conf.master

@@ -167,7 +167,11 @@ server {
             fastcgi_pass unix:<tmpl_var name='fpm_socket'>;
 </tmpl_if>
             fastcgi_index index.php;
+<tmpl_if name='php_fpm_chroot'>
+            fastcgi_param SCRIPT_FILENAME /web$fastcgi_script_name;
+</tmpl_else>
             fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+</tmpl_if>
             #fastcgi_param PATH_INFO $fastcgi_script_name;
             fastcgi_intercept_errors on;
         }

server/conf/php_fpm_pool.conf.master

@@ -26,20 +26,38 @@ pm.process_idle_timeout = <tmpl_var name='pm_process_idle_timeout'>s;
 </tmpl_if>
 pm.max_requests = <tmpl_var name='pm_max_requests'>
 
+<tmpl_if name='php_fpm_chroot'>
+prefix = <tmpl_var name='document_root'>
+chroot = $prefix
+</tmpl_if>
 chdir = /
 
 env[HOSTNAME] = $HOSTNAME
+<tmpl_if name='php_fpm_chroot'>
+env[TMP] = /tmp
+env[TMPDIR] = /tmp
+env[TEMP] = /tmp
+</tmpl_else>
 env[TMP] = <tmpl_var name='document_root'>/tmp
 env[TMPDIR] = <tmpl_var name='document_root'>/tmp
 env[TEMP] = <tmpl_var name='document_root'>/tmp
+</tmpl_if>
 env[PATH] = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
 
 <tmpl_if name='security_level' op='==' value='20'>
 <tmpl_var name='enable_php_open_basedir'>php_admin_value[open_basedir] = <tmpl_var name='php_open_basedir'>
 <tmpl_if name='custom_session_save_path' op='!=' value='y'>
+<tmpl_if name='php_fpm_chroot'>
+php_admin_value[session.save_path] = /tmp
+</tmpl_else>
 php_admin_value[session.save_path] = <tmpl_var name='document_root'>/tmp
 </tmpl_if>
+</tmpl_if>
+<tmpl_if name='php_fpm_chroot'>
+php_admin_value[upload_tmp_dir] = /tmp
+</tmpl_else>
 php_admin_value[upload_tmp_dir] = <tmpl_var name='document_root'>/tmp
+</tmpl_if>
 php_admin_value[sendmail_path] = "/usr/sbin/sendmail -t -i -f webmaster@<tmpl_var name='domain'>"
 </tmpl_if>
 

server/plugins-available/nginx_plugin.inc.php

@@ -1024,6 +1024,11 @@ function update($event_name, $data) {
 		$socket_dir = escapeshellcmd($web_config['php_fpm_socket_dir']);
 		if(substr($socket_dir, -1) != '/') $socket_dir .= '/';
 
+        if($data['new']['php_fpm_chroot'] == 'y'){
+            $php_fpm_chroot = 1;
+        } else {
+            $php_fpm_chroot = 0;
+        }
 		if($data['new']['php_fpm_use_socket'] == 'y'){
 			$use_tcp = 0;
 			$use_socket = 1;
@@ -1033,6 +1038,7 @@ function update($event_name, $data) {
 		}
 		$tpl->setVar('use_tcp', $use_tcp);
 		$tpl->setVar('use_socket', $use_socket);
+		$tpl->setVar('php_fpm_chroot', $php_fpm_chroot);
 		$fpm_socket = $socket_dir.$pool_name.'.sock';
 		$tpl->setVar('fpm_socket', $fpm_socket);
 		$tpl->setVar('rnd_php_dummy_file', '/'.md5(uniqid(microtime(), 1)).'.htm');
@@ -2653,6 +2659,11 @@ private function php_fpm_pool_update ($data, $web_config, $pool_dir, $pool_name,
 		$tpl = new tpl();
 		$tpl->newTemplate('php_fpm_pool.conf.master');
 
+        if($data['new']['php_fpm_chroot'] == 'y'){
+            $php_fpm_chroot = 1;
+        } else {
+            $php_fpm_chroot = 0;
+        }
 		if($data['new']['php_fpm_use_socket'] == 'y'){
 			$use_tcp = 0;
 			$use_socket = 1;
@@ -2663,6 +2674,7 @@ private function php_fpm_pool_update ($data, $web_config, $pool_dir, $pool_name,
 		}
 		$tpl->setVar('use_tcp', $use_tcp);
 		$tpl->setVar('use_socket', $use_socket);
+		$tpl->setVar('php_fpm_chroot', $php_fpm_chroot);
 
 		$fpm_socket = $socket_dir.$pool_name.'.sock';
 		$tpl->setVar('fpm_socket', $fpm_socket);
@@ -2702,7 +2714,14 @@ private function php_fpm_pool_update ($data, $web_config, $pool_dir, $pool_name,
 		$tpl->setVar('security_level', $web_config['security_level']);
 		$tpl->setVar('domain', $data['new']['domain']);
 		$php_open_basedir = ($data['new']['php_open_basedir'] == '')?escapeshellcmd($data['new']['document_root']):escapeshellcmd($data['new']['php_open_basedir']);
-		$tpl->setVar('php_open_basedir', $php_open_basedir);
+        if($php_fpm_chroot){
+            $document_root = $data['new']['document_root'];
+            $domain = $data['new']['domain'];
+            $php_open_basedir = str_replace(":/srv/www/$domain/web",'',$php_open_basedir);
+            $php_open_basedir = str_replace(":/var/www/$domain/web",'',$php_open_basedir);
+            $php_open_basedir = str_replace("$document_root",'',$php_open_basedir);
+        }
+        $tpl->setVar('php_open_basedir', $php_open_basedir);
 		if($php_open_basedir != ''){
 			$tpl->setVar('enable_php_open_basedir', '');
 		} else {