Posted: Mon Apr 20, 2009 1:07 pm Post subject: suPHP or alternatives
I'm setting up a Linux web server that's running Apache 2.2 and PHP 5. There are several PHP apps and more might be installed later. Some of these apps have their MySQL databases, which I would really like to protect. The passwords database for those, of course, have to be stored in config files readable by PHP.
I'm concerned that a vulnerability might be discovered in one of the other apps that would allow an attacker to execute arbitrary PHP code. Most of the apps are not security-critical themselves, but if all the apps are running under the same identity then the attacker could access all the databases and the entire system is compromised.
I'd like to, as much as possible, limit any compromise to the application that was compromised. suPHP seems like the thing that can do that, but I've had no personal experience with it. From what I've read it hurts performance pretty badly (compared to mod_php). Could anyone offer any advice, preferably based on experience, on whether it works well and what other problems it might bring? Are there any alternatives to it? mod-itk seemed promising, but as far as I can see that only works on a vhost level, not on a directory level as I need.
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum