httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Noel Butler <noel.but...@ausics.net>
Subject Re: [users@httpd] Apache not honoring SUID/GUID or FACL
Date Sat, 03 Nov 2012 03:56:46 GMT
On Fri, 2012-11-02 at 14:31 -0500, Dan wrote:

> Ben,
> 
> Yes you're right, we are using mod_php, but only because no other
> alternative was required up to this point.
> 
> This server hosts many vhosts, and I've read that SuEXEC isn't
> appropriate for multi-site installations of apache.
> 


suexec is perfect for any number of hosts, but I assume you mean the
phpsuexec stuff, which you are in fact correct, it, along with suphp,
introduce serious performance hits if you have more than a few hundred
vhosts, and given most hosts run a couple of thousands vhosts per
typical, say DL380 type machine, you will notice it, and your customers
will notice it - especially if the machine has many busy sites.

thats why most large sites use php admin value flags for locking them
down, but some php plugins that are  poorly written dont always honour
those restrictions, which is where suhosin comes in to try fill the gap
( although I think its mod_php's job to be more anal about what it
allows) in trying to catch those uselessly written extensions for doing
stuff you dont want it to, even in this configuration, it wont be 100%
secure, but it certainly is not 100% secure using other methods either,
suphp for instance although not too bad in past couple years, has had a
poor history in the past.



> I'm looking into SuPHP right now, but their site _seems_ to be down.
> 


:)


setfacl chmod etc are no good, they only set existing, you need to work
with umasks, it is not possible to have apache set umask in
virtualhosts, a dirty way would be to set the umask in the init script
for httpd, but I would not recommend that since allowing httpd to group
write access, will introduce major security issues for all vhosts. You
are better off circumventing this via ftp, what ftpd are you using?



Mime
View raw message