HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   General (http://www.howtoforge.com/forums/forumdisplay.php?f=25)
-   -   ISPConfig PHP Security (http://www.howtoforge.com/forums/showthread.php?t=36767)

exabytes18 19th June 2009 10:54

ISPConfig PHP Security
 
Hello, I have a general question regarding the security measures implemented by ISPConfig. Just trying to get a feel for how ISPConfig handles this before I go ahead and install.

Are any steps taken to harden PHP past what's included by PHP itself (i.e. safe-mode and open_basedir)? Are scripts within virtual hosts jailed to their respective document root in anyway? Does PHP run as a module or a cgi?

Thanks for any insight.
- Matt

till 19th June 2009 12:50

ISPConfig offers you a wide variety to run your php scripts like mod_php, suphp, cgi, php-fcgi and suexec, so its up to you how you select the level of security vs. speed for every website.

exabytes18 20th June 2009 06:13

Does that leave permissions to restrict access then? I'm not exactly sure how this works, so bare with me. :)

So, apache runs as usual. When a php script is executed, apache calls suphp (or suexec) which launches php under the respective user id. PHP then interprets the script. Now assuming permissions are set somewhat intelligently, doesn't that leave some "sensitive" files readable like /etc/passwd and the like?

I like the peace of mind of knowing that users are jailed within their directory and able to frolic all they want without harming any part of the system. Is there anyway to provide this level of security within ISPConfig?

Thanks,
Matt

till 20th June 2009 10:35

This is not ispconfig specific as this is the same for all webservers using PHP. suphp is restricting users to s specific directory and is also able to chroot them and more detailed restrictions can be set when you assign a specific php.ini file for a site were you disable all functions like exey, system, passtrogh etc. that might be dangerous and which were not needed by the site:

http://www.suphp.org/DocumentationVi...=apache/CONFIG

exabytes18 20th June 2009 12:02

Is suPHP generally what most people use? Is it robust enough for production use?

But anyway, thanks till, you've been very informative.
- Matt


All times are GMT +2. The time now is 06:19.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.