Web lists-archives.com

[PHP] Shared hosting and security without safe mode




Hello everyone,

We are planning to upgrade our Apache+PHP web servers to PHP 5.4, but we
see a problem now that safe mode is not available any more. We offer
hosting to hundreds of users and we are using mod_userdir and safe_mode
for that, allowing users to upload and run their own PHP scripts and
applications on the servers.

What alternatives are there to get rid of safe mode and at the same time
not letting users to access files not owned by themselves or to run
commands on the server? I've seen that now there's FastCGI, PHP-FPM...
suPHP seems no longer be a widely adopted alternative... Also these
solutions rely heavily on virtual hosts, and I find it a bit problematic
with hundreds of users, even though there's mod_vhost_alias and all (DNS
records should also be changed and it's a bit complicated for us now,
for several reasons) Ideally, users should be restricted to their
public_html directory (chroot, open_base_dir? Any other options? What is
best?)

So what solutions have you guys implemented? What pros and cons do they
have? It used to be mod_userdir, mod_php and safe_mode. I know, it
wasn't really safe and there were a lot of problems related to it, but
it was simple at least. Now it appears it's not that way anymore, there
are many layers and configurations... Are there any simple alternatives?

Thanks in advance and kind regards,

Rafa


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php