Safest setup for shared hosting

[ricardo777]

Hello,

Firstly sorry if this is a bad question.

I now have setup a new VPS with this settings:

#PHP Settings
php1_release=5.4
php1_mode=php-fpm
php2_release=5.5
php2_mode=php-fpm
suhosin=yes

#WEB Server Settings
webserver=apache
apache_ver=2.4
apache_mpm=auto
mod_ruid2=no
secure_htaccess=yes
harden_symlinks_patch=yes

I want to know is this usage without mod_ruid and with use of php-fpm safe for shared hosting environment, like users have the right permission and can only write in their own folder not of other users?

Or is a setup with these settings better for shared hosting security:

#PHP Settings
php1_release=5.4
php1_mode=mod_php (or also suphp)
php2_release=5.5
php2_mode=suphp
suhosin=yes

#WEB Server Settings
webserver=apache
apache_ver=2.4
apache_mpm=auto
mod_ruid2=yes
secure_htaccess=yes
harden_symlinks_patch=yes

Thank you.

 

[zEitEr]

Hello,

The first variant might be good. Still I'm not sure how good is idea to use the same mode for two different PHP versions, but you may try it and test whether they can be used or not that way. And I'd rather add suhosin_php_uploadscan:

./build set suhosin yes
./build set suhosin_php_uploadscan yes
./build set clamav yes

The second variant might bring issues (not too sure though) with using mod_php+mod_ruid2 and suphp. If I recall it correctly there are some threads here about issues with it.

 

[ricardo777]

Thank you for your answer.

I have tested a little bit now not much yet, but I can see the 2 php modes create 2 different processes like:

php-fpm: master process (/usr/local/php55/etc/php-fpm.conf)
php-fpm: master process (/usr/local/php54/etc/php-fpm.conf)

and every user that run a php script gets a new process like:

testuser 0.0 % 17:45 php-fpm: pool testuser

Both for 5.4 or 5.5.

So far it works, still need to test it with some CMS and php scripts.

I also check the php files with both 5.4 or 5.5 with open_basedir that also worked fine for both versions.

Also thank you for your tip of enabling that feature will do that one also.

The second variant might bring issues (not too sure though) with using mod_php+mod_ruid2 and suphp. If I recall it correctly there are some threads here about issues with it.

I have not tested this setup yet, it has installed without any error but I did not had the time to test the setup with some php files or CMS.

 

[zEitEr]

So every user would have both php55 and php54 pools running at the time, right? That's not good probably unless you don't care about RAM.

 

[ricardo777]

So every user would have both php55 and php54 pools running at the time, right? That's not good probably unless you don't care about RAM.

No sorry I will explain.

When I run for example test.php it will open a process and when I open a test.php55 file it opens another process for the other php version the 2 lines are for both php version because I have opened the 2 files at the same time.

The process was stopped within a minute when the test file was done running.

So when I only run test.php there is only 1 process.

EDIT:

I have now installed Joomla and it uses 1 process:

testuser 15.4 % 18:06 php-fpm: pool testuser

It will be killed directly when the php is done loading.

 

[interfasys]

Hello,

Firstly sorry if this is a bad question.

I now have setup a new VPS with this settings:

#PHP Settings
php1_release=5.4
php1_mode=php-fpm
php2_release=5.5
php2_mode=php-fpm
suhosin=yes

#WEB Server Settings
webserver=apache
apache_ver=2.4
apache_mpm=auto
mod_ruid2=no
secure_htaccess=yes
harden_symlinks_patch=yes

I want to know is this usage without mod_ruid and with use of php-fpm safe for shared hosting environment, like users have the right permission and can only write in their own folder not of other users?

...

Thank you.

Using PHP-FPM gives you the fastest-safest option, but it's only really safe for you. For the user, not so much. Any compromised script can be used to wipe his entire public_html folder and possibly more if you're not using open_basedir.
http://forum.directadmin.com/showthread.php?t=48100

Ideally you would create a PHP group which can be used by PHP-FPM fro write operations on certain files.

 

[ricardo777]

Using PHP-FPM gives you the fastest-safest option, but it's only really safe for you. For the user, not so much. Any compromised script can be used to wipe his entire public_html folder and possibly more if you're not using open_basedir.
http://forum.directadmin.com/showthread.php?t=48100

Ideally you would create a PHP group which can be used by PHP-FPM fro write operations on certain files.

Firstly thanks for your reply, also correct me if wrong.

But the problem what you describe is this not the same as suPHP or mod_ruid2? if the user gets hacked is it possible to do other write actions?

 

[interfasys]

Firstly thanks for your reply, also correct me if wrong.

But the problem what you describe is this not the same as suPHP or mod_ruid2? if the user gets hacked is it possible to do other write actions?

You're right, that's why there should be a PHP group per user account with only read access, but that doesn't exist in CB...yet.

 

[ricardo777]

You're right, that's why there should be a PHP group per user account with only read access, but that doesn't exist in CB...yet.

Thank you for your reply, and information. I is a good idea but I am really interested to see how for example wordpress or joomla would work with this setup.

 

[interfasys]

Thank you for your reply, and information. I is a good idea but I am really interested to see how for example wordpress or joomla would work with this setup.

They will work fine, just like when you use mod_php. Instead of having an Apache group shared amongst all users and thus offering no privacy, you have one group per user.