PHP Developers Network

A community of PHP developers offering assistance, advice, discussion, and friendship.
 
Loading
It is currently Fri Nov 28, 2014 8:08 pm

All times are UTC - 5 hours




Post new topic Reply to topic  [ 4 posts ] 
Author Message
 Post subject: PHP DSO security
PostPosted: Sat Aug 04, 2012 12:15 pm 
Offline
Forum Contributor

Joined: Fri Jul 11, 2008 5:49 pm
Posts: 178
My VPS currently has PHP running as DSO. Although I am concerned about security, I'm wondering how much more secure SuPHP or FastCGI would really be.

1. Although there are 15 client websites on the server, I am the sole developer, so I know that permissions 777 is never used anywhere.

2. All websites are custom CMS's written in PHP, so there are many folders owned by nobody (account is group) and set to 750. All of the file upload scrpts are within sessions-protected admin systems.

Given the above, I feel fine about using DSO. Can anyone provide an argument for moving away from DSO, given the environment described? The descriptions of the PHP handlers that I have read don't go into very much detail, so I want to make sure I am evaluating this correctly.


Top
 Profile  
 
 Post subject: Re: PHP DSO security
PostPosted: Mon Aug 06, 2012 10:43 pm 
Offline
Forum Commoner
User avatar

Joined: Thu Dec 15, 2011 2:40 pm
Posts: 85
Location: Nelson, NZ
Hi rhecker,

First off let me say that I don't have a good answer to your question but have been wondering the same, and feeling optimistic.
I too switched from SuPHP to DSO recently when moving my VPS over to KH. One of my concerns was email, and I have been looking at the log in WHM for sent mails from the nobody account. But I have been gradually removing 3rd-party scripts over the past year, so 95% of what I have across the websites is now hand-coded. It sounds like we're in a similar situation.

A few weeks ago I ran a script called PHPSECINFO and found that worthwhile. It pointed the names of a number of risky PHP functions that I don't use and therefore added to the disable list in WHM. It looks like a serious product. There were a few other recommendations I implemented.

You say your libraries are above the html root. You sound like you're in good shape and proceeding deliberately. But again, I don't have the full answer.

Not about security: I wonder if you are running nginx, that has been recommended to me to use with DSO and EAccelerator. So far no complaints. PHP is pretty fast. They say 5.4 is even faster but it still seems problematic in cPanel.

Please keep us posted, that's an important topic. :)

Wishing you a beautiful week,


Top
 Profile  
 
 Post subject: Re: PHP DSO security
PostPosted: Wed Aug 08, 2012 11:24 am 
Offline
Forum Contributor

Joined: Fri Jul 11, 2008 5:49 pm
Posts: 178
Thanks for your comments, Ragax.

So far performance on my VPS has been excellent; none of my sites are very demanding of resources. I am working on a project now that will probably eventually be pretty demanding. So I am running Apache2 and have not yet looked seriously at alternatives like nginx.

Thanks for the heads up about PHPSECINFO.


Top
 Profile  
 
 Post subject: Re: PHP DSO security
PostPosted: Wed Aug 08, 2012 3:59 pm 
Offline
Forum Commoner
User avatar

Joined: Thu Dec 15, 2011 2:40 pm
Posts: 85
Location: Nelson, NZ
Hi rhecker,

Good to hear from you and great to know that your VPS is working well!
That really pleases me. You get what you pay for.

> alternatives like nginx

Just to clarify, nginx does not replace Apache. If I understand, it's some kind of caching proxy in front of Apache.
If you become interested at some point down the line and have a managed VPS, they should be able to install it for you in a jiffy. Once installed, It even shows in the WHM panel. I'm certainly not an expert and followed recommendations on the WHT forum.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 4 posts ] 

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group