[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: advice request for shared hosting and security issue

On 06/24/2013 11:29 PM, Matus UHLAR - fantomas wrote:
On 06/24/2013 02:14 PM, Oğuz Yarımtepe wrote:
I solved this isseu by completely removing php-fpm and fastcgi and just
using mod_php. Added php_admin_value open_basedir path fr each vhost.

On 24.06.13 22:38, Thomas Goirand wrote:
Great, you now have a security hole, using a deprecated directive, which
is removed in the current stable version of PHP!

When was open_basedir deprecated? I see that safe_mode is deprecated, but
not the open_basedir...

On 25.06.13 01:37, Thomas Goirand wrote:
Ok, probably not. However, open_basedir is *not* something that is
useful in terms of security. Libraries which can be called by PHP still
have access to the full of the filesystem. So yes, you'd be restricting
includes, but that's it, and this is not enough. The solution is a full
chroot for each vhost.

the open_basedir will protect us against malicious scripts trying to scan
filesystem over protected area.

Of course, if there's something in PHP (as curl module some years ago), it's
problem of  the module.

even chroot() won't protect us against kernel bugs, but does that mean we
should use virtualization instead?

So, I understand things like open_basedir as another step in security, made
by PHP...

Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
One OS to rule them all, One OS to find them, One OS to bring them all and into darkness bind them
Reply to: