Re: advice request for shared hosting and security issue
On 06/25/2013 07:32 PM, Matus UHLAR - fantomas wrote:
> Of course, if there's something in PHP (as curl module some years ago),
> it's problem of the module.
> even chroot() won't protect us against kernel bugs, but does that mean we
> should use virtualization instead?
Of course yes!!!
And also if there's really no choice but to leave multiple sites/users
on the same server (the only valid reason is in fact costs), then using
the GR security types of kernel is a good idea too (if you have the time
to maintain your own kernel build), so that a kernel bug has some
chances to be mitigated.
> So, I understand things like open_basedir as another step in security, made
> by PHP...
I believe you understand wrongly. It's to limit the include directive
and such, but that's it. It is in no way something you should trust to
do compartmentalization of users on a shared hosting server. You also
would have to drastically disable some functions (exec(), passthrough()
and friends, with btw a good chance that you will forget some of
them...) but really that isn't the solution either.
BTW, why do you think the text which I quoted went into the doc folder
of PHP in Debian?
Anyway, feel free not to trust both me, the PHP maintainers in Debian,
and ... the rest of the world! But one day, a site will get hacked
(that's normal...), and that as a consequence of your bad practices, all
of your server content will dies (that isn't...). Let's hope this never
happens to you.