PHP Developers Network

PHP DSO security
Page 1 of 1

Author:  rhecker [ Sat Aug 04, 2012 12:15 pm ]
Post subject:  PHP DSO security

My VPS currently has PHP running as DSO. Although I am concerned about security, I'm wondering how much more secure SuPHP or FastCGI would really be.

1. Although there are 15 client websites on the server, I am the sole developer, so I know that permissions 777 is never used anywhere.

2. All websites are custom CMS's written in PHP, so there are many folders owned by nobody (account is group) and set to 750. All of the file upload scrpts are within sessions-protected admin systems.

Given the above, I feel fine about using DSO. Can anyone provide an argument for moving away from DSO, given the environment described? The descriptions of the PHP handlers that I have read don't go into very much detail, so I want to make sure I am evaluating this correctly.

Author:  ragax [ Mon Aug 06, 2012 10:43 pm ]
Post subject:  Re: PHP DSO security

Hi rhecker,

First off let me say that I don't have a good answer to your question but have been wondering the same, and feeling optimistic.
I too switched from SuPHP to DSO recently when moving my VPS over to KH. One of my concerns was email, and I have been looking at the log in WHM for sent mails from the nobody account. But I have been gradually removing 3rd-party scripts over the past year, so 95% of what I have across the websites is now hand-coded. It sounds like we're in a similar situation.

A few weeks ago I ran a script called PHPSECINFO and found that worthwhile. It pointed the names of a number of risky PHP functions that I don't use and therefore added to the disable list in WHM. It looks like a serious product. There were a few other recommendations I implemented.

You say your libraries are above the html root. You sound like you're in good shape and proceeding deliberately. But again, I don't have the full answer.

Not about security: I wonder if you are running nginx, that has been recommended to me to use with DSO and EAccelerator. So far no complaints. PHP is pretty fast. They say 5.4 is even faster but it still seems problematic in cPanel.

Please keep us posted, that's an important topic. :)

Wishing you a beautiful week,

Author:  rhecker [ Wed Aug 08, 2012 11:24 am ]
Post subject:  Re: PHP DSO security

Thanks for your comments, Ragax.

So far performance on my VPS has been excellent; none of my sites are very demanding of resources. I am working on a project now that will probably eventually be pretty demanding. So I am running Apache2 and have not yet looked seriously at alternatives like nginx.

Thanks for the heads up about PHPSECINFO.

Author:  ragax [ Wed Aug 08, 2012 3:59 pm ]
Post subject:  Re: PHP DSO security

Hi rhecker,

Good to hear from you and great to know that your VPS is working well!
That really pleases me. You get what you pay for.

> alternatives like nginx

Just to clarify, nginx does not replace Apache. If I understand, it's some kind of caching proxy in front of Apache.
If you become interested at some point down the line and have a managed VPS, they should be able to install it for you in a jiffy. Once installed, It even shows in the WHM panel. I'm certainly not an expert and followed recommendations on the WHT forum.

Page 1 of 1 All times are UTC - 5 hours
Powered by phpBB® Forum Software © phpBB Group