On Fri, 2012-11-02 at 14:31 -0500, Dan wrote:
Ben,
Yes you're right, we are using mod_php, but only because no other
alternative was required up to this point.
This server hosts many vhosts, and I've read that SuEXEC isn't
appropriate for multi-site installations of apache.
suexec is perfect for any number of hosts, but I assume you mean the phpsuexec stuff, which you are in fact correct, it, along with suphp, introduce serious performance hits if you have more than a few hundred vhosts, and given most hosts run a couple of thousands vhosts per typical, say DL380 type machine, you will notice it, and your customers will notice it - especially if the machine has many busy sites.
thats why most large sites use php admin value flags for locking them down, but some php plugins that are poorly written dont always honour those restrictions, which is where suhosin comes in to try fill the gap ( although I think its mod_php's job to be more anal about what it allows) in trying to catch those uselessly written extensions for doing stuff you dont want it to, even in this configuration, it wont be 100% secure, but it certainly is not 100% secure using other methods either, suphp for instance although not too bad in past couple years, has had a poor history in the past.
I'm looking into SuPHP right now, but their site _seems_ to be down.
setfacl chmod etc are no good, they only set existing, you need to work with umasks, it is not possible to have apache set umask in virtualhosts, a dirty way would be to set the umask in the init script for httpd, but I would not recommend that since allowing httpd to group write access, will introduce major security issues for all vhosts. You are better off circumventing this via ftp, what ftpd are you using?
