My VPS currently has PHP running as DSO. Although I am concerned about security, I'm wondering how much more secure SuPHP or FastCGI would really be.
1. Although there are 15 client websites on the server, I am the sole developer, so I know that permissions 777 is never used anywhere.
2. All websites are custom CMS's written in PHP, so there are many folders owned by nobody (account is group) and set to 750. All of the file upload scrpts are within sessions-protected admin systems.
Given the above, I feel fine about using DSO. Can anyone provide an argument for moving away from DSO, given the environment described? The descriptions of the PHP handlers that I have read don't go into very much detail, so I want to make sure I am evaluating this correctly.
PHP Developers Network
A community of PHP developers offering assistance, advice, discussion, and friendship.
PHP DSO security
Moderator: General Moderators
4 posts
• Page 1 of 1
PHP DSO security
by rhecker » Sat Aug 04, 2012 12:15 pm
- rhecker
- Forum Contributor
- Posts: 159
- Joined: Fri Jul 11, 2008 5:49 pm
Re: PHP DSO security
by ragax » Mon Aug 06, 2012 10:43 pm
Hi rhecker,
First off let me say that I don't have a good answer to your question but have been wondering the same, and feeling optimistic.
I too switched from SuPHP to DSO recently when moving my VPS over to KH. One of my concerns was email, and I have been looking at the log in WHM for sent mails from the nobody account. But I have been gradually removing 3rd-party scripts over the past year, so 95% of what I have across the websites is now hand-coded. It sounds like we're in a similar situation.
A few weeks ago I ran a script called PHPSECINFO and found that worthwhile. It pointed the names of a number of risky PHP functions that I don't use and therefore added to the disable list in WHM. It looks like a serious product. There were a few other recommendations I implemented.
You say your libraries are above the html root. You sound like you're in good shape and proceeding deliberately. But again, I don't have the full answer.
Not about security: I wonder if you are running nginx, that has been recommended to me to use with DSO and EAccelerator. So far no complaints. PHP is pretty fast. They say 5.4 is even faster but it still seems problematic in cPanel.
Please keep us posted, that's an important topic.
Wishing you a beautiful week,
First off let me say that I don't have a good answer to your question but have been wondering the same, and feeling optimistic.
I too switched from SuPHP to DSO recently when moving my VPS over to KH. One of my concerns was email, and I have been looking at the log in WHM for sent mails from the nobody account. But I have been gradually removing 3rd-party scripts over the past year, so 95% of what I have across the websites is now hand-coded. It sounds like we're in a similar situation.
A few weeks ago I ran a script called PHPSECINFO and found that worthwhile. It pointed the names of a number of risky PHP functions that I don't use and therefore added to the disable list in WHM. It looks like a serious product. There were a few other recommendations I implemented.
You say your libraries are above the html root. You sound like you're in good shape and proceeding deliberately. But again, I don't have the full answer.
Not about security: I wonder if you are running nginx, that has been recommended to me to use with DSO and EAccelerator. So far no complaints. PHP is pretty fast. They say 5.4 is even faster but it still seems problematic in cPanel.
Please keep us posted, that's an important topic.
Wishing you a beautiful week,
(the user f.k.a. playful) Regex Tutorial | Latest RegexBuddy Demo
-
ragax - Forum Commoner
- Posts: 73
- Joined: Thu Dec 15, 2011 2:40 pm
- Location: Nelson, NZ
Re: PHP DSO security
by rhecker » Wed Aug 08, 2012 11:24 am
Thanks for your comments, Ragax.
So far performance on my VPS has been excellent; none of my sites are very demanding of resources. I am working on a project now that will probably eventually be pretty demanding. So I am running Apache2 and have not yet looked seriously at alternatives like nginx.
Thanks for the heads up about PHPSECINFO.
So far performance on my VPS has been excellent; none of my sites are very demanding of resources. I am working on a project now that will probably eventually be pretty demanding. So I am running Apache2 and have not yet looked seriously at alternatives like nginx.
Thanks for the heads up about PHPSECINFO.
- rhecker
- Forum Contributor
- Posts: 159
- Joined: Fri Jul 11, 2008 5:49 pm
Re: PHP DSO security
by ragax » Wed Aug 08, 2012 3:59 pm
Hi rhecker,
Good to hear from you and great to know that your VPS is working well!
That really pleases me. You get what you pay for.
> alternatives like nginx
Just to clarify, nginx does not replace Apache. If I understand, it's some kind of caching proxy in front of Apache.
If you become interested at some point down the line and have a managed VPS, they should be able to install it for you in a jiffy. Once installed, It even shows in the WHM panel. I'm certainly not an expert and followed recommendations on the WHT forum.
Good to hear from you and great to know that your VPS is working well!
That really pleases me. You get what you pay for.
> alternatives like nginx
Just to clarify, nginx does not replace Apache. If I understand, it's some kind of caching proxy in front of Apache.
If you become interested at some point down the line and have a managed VPS, they should be able to install it for you in a jiffy. Once installed, It even shows in the WHM panel. I'm certainly not an expert and followed recommendations on the WHT forum.
(the user f.k.a. playful) Regex Tutorial | Latest RegexBuddy Demo
-
ragax - Forum Commoner
- Posts: 73
- Joined: Thu Dec 15, 2011 2:40 pm
- Location: Nelson, NZ
4 posts
• Page 1 of 1
Who is online
Users browsing this forum: No registered users and 4 guests