2

I'm looking to secure some websites running under apache using suexec. At the moment php is executed with the user/group of the file being executed. This seems to me, not secure enough. It stops vhosts interfering with each other, but does not stop malicious code writing anywhere in the vhost being used.

I was thinking that a possibility would be to run scripts as nobody/vhost group, that way the vhost user could still have full access to the vhost directories, but executing php would only be able to write to files with g+w, and to execute files with g+x. This I think should stop arbitrary writing in the web dir from compromised php.

Just wondering if this is crazy, ridiculous, stupid?

Of course this would be done on top of existing security measures.

jsimmons
  • 123
  • 5

1 Answers1

1

It's not ridiculous or stupid - perhaps a little crazy but anyway... you might want to look at MPM_peruser or MPM_itk which seems to have minimal performance impact and are 100% compatible with mod_php.

SUEXEC require you to use PHP as a CGI and it will have performance impact on your websites ( of course it all depends how busy your websites are ...)

Also as this is just another thing on top of existing security measures I assume that you already have suhosin, mod_security setup & configured in place.

For a great info please look at the ref: http://catn.com/security/securing-mod-php/

Piotr
  • 136
  • 2
  • Welcome to Server Fault! Whilst this may theoretically answer the question, [it would be preferable](http://meta.stackexchange.com/q/8259) to include the essential parts of the answer here, and provide the link for reference. – user9517 Apr 08 '12 at 22:34