PHPMyAdmin jailed

Discussion in 'Installation/Configuration' started by remkoh, Nov 12, 2023.

  1. remkoh

    remkoh Active Member HowtoForge Supporter

    I'm trying to run PHPMyAdmin in a jailed environment but can't get it to work.

    In my setup (with Nginx webserver) I'm NOT running /phpmyadmin as a global alias.

    I've created a website phpmyadmin.domain.tld with PHP8.1-FPM, a "no flag" redirect to "/phpmyadmin/" and this Nginx directive:
    Code:
    location /phpmyadmin {
        alias /usr/share/phpmyadmin;
        location ~ ^/phpmyadmin/(.+\.php)$ {
            include fastcgi_params;
            fastcgi_param SCRIPT_FILENAME $request_filename;
            fastcgi_split_path_info ^(.+\.php)(/.+)$;
            {FASTCGIPASS}
            fastcgi_index index.php;
        }
        location ~ ^/phpmyadmin/(libraries|setup/frames|setup/libs) {
            deny all;
            return 404;
        }
        location ~* ^/phpmyadmin/(.+\.(jpg|jpeg|gif|css|png|js|ico|xml))$ {
            access_log off;
            expires 30d;
        }
    }
    
    This works just fine.
    Until I check "Chroot PHP-FPM" that is.

    I've added "/usr/share/phpmyadmin/ /etc/phpmyadmin/" in "Jailkit chrooted applications".
    I can see both folders and content in "/var/www/phpmyadmin.domain.tld/".

    Browser returns "No input file specified." and log says:
    Code:
    [error] 351417#351417: *4918 FastCGI sent in stderr: "Unable to open primary script: /usr/share/phpmyadmin/index.php (No such file or directory)" while reading response header from upstream, client: x.x.x.x, server: phpmyadmin.domain.tld, request: "GET / HTTP/2.0", upstream: "fastcgi://unix:/var/lib/php8.1-fpm/web1.sock:", host: "phpmyadmin.domain.tld"
    
    I haven't done much with jails previously so I'm sure I'm at fault or missing something.
    Question is what?
     
    Last edited: Nov 12, 2023
  2. remkoh

    remkoh Active Member HowtoForge Supporter

    Changing Nginx directive to:
    Code:
    location /phpmyadmin {
        alias {DOCROOT}../usr/share/phpmyadmin;
        location ~ ^/phpmyadmin/(.+\.php)$ {
            include fastcgi_params;
            fastcgi_param SCRIPT_FILENAME $request_filename;
            fastcgi_split_path_info ^(.+\.php)(/.+)$;
            {FASTCGIPASS}
            fastcgi_index index.php;
        }
        ...
    }
    
    changes browser to "File not found." and logs to:
    Code:
    [error] 365793#365793: *13 FastCGI sent in stderr: "Primary script unknown" while reading response header from upstream, client: x.x.x.x, server: phpmyadmin.domain.tld, request: "GET / HTTP/2.0", upstream: "fastcgi://unix:/var/lib/php8.1-fpm/web1.sock:", host: "phpmyadmin.domain.tld"
    
     
    Last edited: Nov 12, 2023
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    This will likely not work. If you want to have a jailed phpmyadmin, install phpmyadmin into the website instead of using the globally installed phpmyadmin from Debian or Ubuntu.
     
    ahrasis likes this.
  4. remkoh

    remkoh Active Member HowtoForge Supporter

    That's too bad.
    I was trying to avoid manual installation and updating.
    Then I'll be running it unjailed. That works.
     
  5. remkoh

    remkoh Active Member HowtoForge Supporter

    For other wanting to run a similar config, you also need to change some permissions:
    Code:
    chown -R webX.clientX /etc/phpmyadmin
    chown -R webX.clientX /var/lib/phpmyadmin
    
     
  6. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    I thought @Th0m tool and guide already covers auto update for PMA and unless I understood you wrongly, all install must start from manual, some where.
     
  7. remkoh

    remkoh Active Member HowtoForge Supporter

    Ofcourse there's a manual step. I've installed PHPMyAdmin from repo.

    That installed PHPMyAdmin in the default folders /usr/share, /var/lib, /etc (and maybe more) which, according to @till, makes it not possible to run from a jailed vhost.
     
  8. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    Jailed environment is limited to its own folder only thus cannot access all other folders like server root can. Does that makes sense?
     

Share This Page