...
The security posture is from an administrative perspective and not for with shared hosting.
| Panel |
|---|
Determine if this actually increases security - http://www.suphp.org/Home.html. suPHP and LiteSpeed make the most sense for shared hosting. This article indicates that suphp is slow as it makes php run as a cgi. Instead a poster recommended using what is available with mod_php - http://serverfault.com/questions/279938/should-i-use-suphp-or-mod-php-for-shared-hosting. Along this thread another poster recommends, http://mpm-itk.sesse.net/ which allows vhosts to be run under different uid and gid. A great discussion on using permissions, same conclusion I was coming to using www-data group - http://unix.stackexchange.com/questions/30879/what-user-should-apache-and-php-be-running-as-what-permissions-should-var-www Probably the most complete but also complex solutions is to use ACLs - http://serverfault.com/questions/339948/user-permissions-for-both-apache-and-local-user/357977 |
Restrict the Execution of PHP to a Specific Folder
EditUsing sudo, edit, vi /etc/php5/apache2/php.ini to only allow execution of php scripts in specific directories.
| Code Block |
|---|
; open_basedir, if set, limits all file operations to the defined directory ; and below. This directive makes most sense if used in a per-directory ; or per-virtualhost web server configuration file. This directive is ; *NOT* affected by whether Safe Mode is turned On or Off. ; http://php.net/open-basedir open_basedir = /homeopt/www.krypton.com/www/blog/:/homeopt/www.earth.com/www/blog/ |
This helps minimizes the amount of damage that can be done in the event that the system is compromised to the specified directory.
...
| Code Block | ||
|---|---|---|
| ||
cd /homeopt/www.krypton.com/www/ sudo chown -R serveradmin:www-data ./cms/ # Only svradm can manage this site and we ensure the Apache www-data user can access the site sudo chmod -R o-rwx ./cms/ # No users except nobody and those belong to the group wgkrypton will be granted access. |
...