PHP DSO security

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

PHP DSO security

Postby rhecker » Sat Aug 04, 2012 12:15 pm

My VPS currently has PHP running as DSO. Although I am concerned about security, I'm wondering how much more secure SuPHP or FastCGI would really be.

1. Although there are 15 client websites on the server, I am the sole developer, so I know that permissions 777 is never used anywhere.

2. All websites are custom CMS's written in PHP, so there are many folders owned by nobody (account is group) and set to 750. All of the file upload scrpts are within sessions-protected admin systems.

Given the above, I feel fine about using DSO. Can anyone provide an argument for moving away from DSO, given the environment described? The descriptions of the PHP handlers that I have read don't go into very much detail, so I want to make sure I am evaluating this correctly.
rhecker
Forum Contributor
 
Posts: 178
Joined: Fri Jul 11, 2008 5:49 pm

Re: PHP DSO security

Postby ragax » Mon Aug 06, 2012 10:43 pm

Hi rhecker,

First off let me say that I don't have a good answer to your question but have been wondering the same, and feeling optimistic.
I too switched from SuPHP to DSO recently when moving my VPS over to KH. One of my concerns was email, and I have been looking at the log in WHM for sent mails from the nobody account. But I have been gradually removing 3rd-party scripts over the past year, so 95% of what I have across the websites is now hand-coded. It sounds like we're in a similar situation.

A few weeks ago I ran a script called PHPSECINFO and found that worthwhile. It pointed the names of a number of risky PHP functions that I don't use and therefore added to the disable list in WHM. It looks like a serious product. There were a few other recommendations I implemented.

You say your libraries are above the html root. You sound like you're in good shape and proceeding deliberately. But again, I don't have the full answer.

Not about security: I wonder if you are running nginx, that has been recommended to me to use with DSO and EAccelerator. So far no complaints. PHP is pretty fast. They say 5.4 is even faster but it still seems problematic in cPanel.

Please keep us posted, that's an important topic. :)

Wishing you a beautiful week,
User avatar
ragax
Forum Commoner
 
Posts: 85
Joined: Thu Dec 15, 2011 2:40 pm
Location: Nelson, NZ

Re: PHP DSO security

Postby rhecker » Wed Aug 08, 2012 11:24 am

Thanks for your comments, Ragax.

So far performance on my VPS has been excellent; none of my sites are very demanding of resources. I am working on a project now that will probably eventually be pretty demanding. So I am running Apache2 and have not yet looked seriously at alternatives like nginx.

Thanks for the heads up about PHPSECINFO.
rhecker
Forum Contributor
 
Posts: 178
Joined: Fri Jul 11, 2008 5:49 pm

Re: PHP DSO security

Postby ragax » Wed Aug 08, 2012 3:59 pm

Hi rhecker,

Good to hear from you and great to know that your VPS is working well!
That really pleases me. You get what you pay for.

> alternatives like nginx

Just to clarify, nginx does not replace Apache. If I understand, it's some kind of caching proxy in front of Apache.
If you become interested at some point down the line and have a managed VPS, they should be able to install it for you in a jiffy. Once installed, It even shows in the WHM panel. I'm certainly not an expert and followed recommendations on the WHT forum.
User avatar
ragax
Forum Commoner
 
Posts: 85
Joined: Thu Dec 15, 2011 2:40 pm
Location: Nelson, NZ


Return to PHP - Security

Who is online

Users browsing this forum: No registered users and 1 guest