Exposing Composer to the WWW user on FreeBSD

15 June 2025

FreeBSD is one of the most secure Unix variants in the open source community. By default, its settings are designed to allow deployment with minimal security adjustments. One of these settings happens to be the www user, the user used for web server operations. The user is not allotted a shell or a home directory. The user can't be accessed by using su, to switch users, by either the root or a regular user. So, how is a user supposed to connect a composer installation to this user for web-managed composer installations?

Why would you want to do this?

Most users will never have to do this. You should be able to run your web server securely using FreeBSD and never have to worry about tying composer to the web environment. However,  Drupal CMS, a new project by drupal.org,  introduces operator conveniences, allowing the operator of a site to install contributed modules without having to get down on the command line. Although I got Drupal CMS to work perfectly fine on a fresh Ubuntu installation, I had some difficulty on FreeBSD. This is what I had to do to fix it.

The Plan

The primary goal was to allow the www user to access composer without compromising the security of the FreeBSD installation. One way of accomplishing this is to expose the path to composer via an environment variable. Since the www user has no shell associated with it, it is not feasible to create a bashrc, or shrc file. However, an environment variable can be created through php-fpm. This is an advantage because a web server relays its request to a separate process to handle calls to the console through php-fpm, freeing up resources for the web server. Therefore, by providing composer's path to php-fpm and connecting the web server, in this case Apache, to the php-fpm process we can expose the www user to composer.

Enabling php-fpm on FreeBSD

php-fpm should be installed along with PHP on FreeBSD.  It comes with PHP 8.2 and above. However, if it is not installed, install it via pkg before enabling it.

# Enable php-fpm on boot
sudo sysrc php_fpm_enable=YES

# php-fpm is secure by default on FreeBSD but should you need to adjust the settings
vi /usr/local/etc/php-fpm.d/www.conf

# Start the php-fpm daemon. This is underscore and not hyphen for php-fpm
sudo service php_fpm start

Integrating php-fpm into Apache on FreeBSD

First enable some required modules for the apache httpd.conf

LoadModule proxy_module libexec/apache24/mod_proxy.so
LoadModule proxy_fcgi_module libexec/apache24/mod_proxy_fcgi.so
LoadModule rewrite_module libexec/apache24/mod_rewrite.so

Now, configure the *.conf files for the website that requires php-fpm enabled.

# Add this line between the VirtualHost tags for both port :80 and :443 configuration declarations
<FilesMatch \.php$>
    SetHandler "proxy:fcgi://127.0.0.1:9000"
</FilesMatch>

# Restart both the apache server and php-fpm  daemon
sudo service apache24 restart
sudo service php_fpm restart

These instructions are abbreviated, but they should be sufficient to get php-fpm up and running on FresBSD. But more importantly, they will allow Drupal CMS to run composer via the www user without making the server vulnerable.

Tags

Related blog posts

Improving CI/CD with Snyk

18 August 2024
The post explores how Snyk, a security scanning tool, fits into modern CI/CD pipelines by enabling developers to catch vulnerabilities early during development, not just at the end like in traditional waterfall models. While CI/CD automates code integration and unit testing, it doesn’t check for security issues — and that’s where Snyk adds value.

Snyk is a strong contender for secure DevOps, especially for teams seeking seamless integration with development tools and continuous security monitoring.