Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > General

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 19th June 2009, 10:54
exabytes18 exabytes18 is offline
Junior Member
 
Join Date: Jun 2009
Posts: 3
Thanks: 0
Thanked 0 Times in 0 Posts
Default ISPConfig PHP Security

Hello, I have a general question regarding the security measures implemented by ISPConfig. Just trying to get a feel for how ISPConfig handles this before I go ahead and install.

Are any steps taken to harden PHP past what's included by PHP itself (i.e. safe-mode and open_basedir)? Are scripts within virtual hosts jailed to their respective document root in anyway? Does PHP run as a module or a cgi?

Thanks for any insight.
- Matt
Reply With Quote
Sponsored Links
  #2  
Old 19th June 2009, 12:50
till till is online now
Super Moderator
 
Join Date: Apr 2005
Location: Lneburg, Germany
Posts: 36,376
Thanks: 833
Thanked 5,479 Times in 4,313 Posts
Default

ISPConfig offers you a wide variety to run your php scripts like mod_php, suphp, cgi, php-fcgi and suexec, so its up to you how you select the level of security vs. speed for every website.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #3  
Old 20th June 2009, 06:13
exabytes18 exabytes18 is offline
Junior Member
 
Join Date: Jun 2009
Posts: 3
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Does that leave permissions to restrict access then? I'm not exactly sure how this works, so bare with me.

So, apache runs as usual. When a php script is executed, apache calls suphp (or suexec) which launches php under the respective user id. PHP then interprets the script. Now assuming permissions are set somewhat intelligently, doesn't that leave some "sensitive" files readable like /etc/passwd and the like?

I like the peace of mind of knowing that users are jailed within their directory and able to frolic all they want without harming any part of the system. Is there anyway to provide this level of security within ISPConfig?

Thanks,
Matt
Reply With Quote
  #4  
Old 20th June 2009, 10:35
till till is online now
Super Moderator
 
Join Date: Apr 2005
Location: Lneburg, Germany
Posts: 36,376
Thanks: 833
Thanked 5,479 Times in 4,313 Posts
Default

This is not ispconfig specific as this is the same for all webservers using PHP. suphp is restricting users to s specific directory and is also able to chroot them and more detailed restrictions can be set when you assign a specific php.ini file for a site were you disable all functions like exey, system, passtrogh etc. that might be dangerous and which were not needed by the site:

http://www.suphp.org/DocumentationVi...=apache/CONFIG
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #5  
Old 20th June 2009, 12:02
exabytes18 exabytes18 is offline
Junior Member
 
Join Date: Jun 2009
Posts: 3
Thanks: 0
Thanked 0 Times in 0 Posts
 
Default

Is suPHP generally what most people use? Is it robust enough for production use?

But anyway, thanks till, you've been very informative.
- Matt
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Really Simple DNS Question andysm849 Server Operation 4 20th October 2008 23:32
ISPConfig virtual web pages not working mike_phi Installation/Configuration 8 7th May 2008 16:51
How can I get PHP to work after ISPConfig Install alvadore Installation/Configuration 22 30th March 2008 15:57
Slightly Confused (DNS & Server Help) JohnnyBGoode Installation/Configuration 26 14th August 2007 09:54
2 domains, 1 site wadims Installation/Configuration 13 31st May 2006 00:21


All times are GMT +2. The time now is 13:52.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.