Re: [PHP] Shared hosting and security without safe mode
- Date: Fri, 13 Nov 2015 09:28:36 +0000
- From: German Geek <geek.de@xxxxxxxxx>
- Subject: Re: [PHP] Shared hosting and security without safe mode
Have you considered using Puppet for your deployment automation? Then you
just need to write the configuration like developing an application, commit
it to a VCS and have repeatable configuration that can be upgraded quickly.
For most needs there are already Puppet modules that you can use out of the
box. Also, I would recommend running php-fpm if that works and having each
user have a different sandbox in one way or another. Only then can you have
true secure separation of users. If you want to know more details ping me.
On Fri, 13 Nov 2015 at 21:27 Rafael Arco Arredondo <rafaarco@xxxxxx> wrote:
> Hello everyone,
> We are planning to upgrade our Apache+PHP web servers to PHP 5.4, but we
> see a problem now that safe mode is not available any more. We offer
> hosting to hundreds of users and we are using mod_userdir and safe_mode
> for that, allowing users to upload and run their own PHP scripts and
> applications on the servers.
> What alternatives are there to get rid of safe mode and at the same time
> not letting users to access files not owned by themselves or to run
> commands on the server? I've seen that now there's FastCGI, PHP-FPM...
> suPHP seems no longer be a widely adopted alternative... Also these
> solutions rely heavily on virtual hosts, and I find it a bit problematic
> with hundreds of users, even though there's mod_vhost_alias and all (DNS
> records should also be changed and it's a bit complicated for us now,
> for several reasons) Ideally, users should be restricted to their
> public_html directory (chroot, open_base_dir? Any other options? What is
> So what solutions have you guys implemented? What pros and cons do they
> have? It used to be mod_userdir, mod_php and safe_mode. I know, it
> wasn't really safe and there were a lot of problems related to it, but
> it was simple at least. Now it appears it's not that way anymore, there
> are many layers and configurations... Are there any simple alternatives?
> Thanks in advance and kind regards,
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php