I have a question. I didn’t actually think about this before, I would like to know if Interworx supports open base dir restrictions. If how - how to enable it ( unless already enabled ). I don’t want to see someone somehow gaining access a account on the server, and wiping off other users simply because they can do so.
The Mod_user dir is more about the bandwidth theft issues, however, it’s not that much of a problem.
Interworx executes all PHP scripts as the user that the account is under, so open_basedir really doesn’t help you any at all.
Obviously when the script is running as the account user it carries over those unix permissions, one of those being that it cannot access other user’s directories.
Actually, php scripts run via mod_php4 are run as apache. PHP scripts run as CGIs are run as the user (via suexec). open_basedir can be turned on manually by adding the open_basedir directives to the conf files under /etc/httpd/conf.d/<domain>.conf.
Do you have plans to let people enable this openbase dir option globally ? I saw in another thread that you were worried about bugs in the module. I’m not sure how accurate that assessment is. We’ve been using that option for two years now on our fleet of Cpanel Servers. No problems. For my Interworx server, it doesn’t matter if I have to add this feature in manually.
Do you have plans for a FastCGI or PerChild module ? I personally favour the fastCGI module. It’s got the security of the CGI PHP , and the speed of Mod_PHP. Last time I used it - it was a little buggy.
I’m not sure about the perchild module, but I’m pretty sure that Fast CGI is still alive and kicking. It’s demand is huge in applications like Zeus webservers, and IIS PHP. To make PHP work consitently in a good production enviornment, FastCGI is the only option.
Or did you mean InterWorx development of those as possible features ?
With curl or oracle lib a user may gain access to all your data even if there is open basedir and/or safe mod enable.
Ok, it is surely better than nothing
I think that the best solution, from a security point of view, should be to run php with FASTcgi or something as perchild, or maybe have a proxy front end and run multiple instances of apache on different port (but it is not so easy to implement in virtualhosting)