Topic: How secure is PHP7.x with suEXEC?

Hi guys

I was wondering if anyone have some articles or comments about the following setup.

I have a box with
CentOS7
Apache (stock)
Remi PHP7.1 and PHP7.2 using mod_fcgid and suEXEC ( I use a control panel which does not allow me to use php-fpm, it only allows DS, suPHP and FastCGI)

My question now is, how secure is it using suEXEC compared to e.g. suPHP?

I’m used to run php using suPHP as I have experienced using DSO in a shared environment is somewhat tedious because of permissions. I might just not have hit the spot with that.

Any thoughts or suggestions?

Thanks Scott

Re: How secure is PHP7.x with suEXEC?

AS soon as some PHP process is allowed to change files (configuration or PHP scripts) your server is NOT secure.

At least, such app, should only be accessible in some private network.

Laptop:  Fedora 38 + rpmfusion + remi (SCL only)
x86_64 builder: Fedora 39 + rpmfusion + remi-test
aarch64 builder: RHEL 9 with EPEL
Hosting Server: CentOS 8 Stream with EPEL, rpmfusion, remi

Re: How secure is PHP7.x with suEXEC?

Okay what would be a better option in terms of speed and security?

Re: How secure is PHP7.x with suEXEC?

IMHO: https://developers.redhat.com/blog/2017 … tion-tips/

Laptop:  Fedora 38 + rpmfusion + remi (SCL only)
x86_64 builder: Fedora 39 + rpmfusion + remi-test
aarch64 builder: RHEL 9 with EPEL
Hosting Server: CentOS 8 Stream with EPEL, rpmfusion, remi

Re: How secure is PHP7.x with suEXEC?

Okay, thank you.

How does php-fpm go about user permissions in terms of uploading and downloading via ftp? and with which user is php-fpm executed?

With dso it is normally executed with apache:apache, with suPHP and suEXEC you typically impersonate the owner of the website if so configured in httpd.conf. But what about php-fpm?

Re: How secure is PHP7.x with suEXEC?

> But what about php-fpm?
> which user is php-fpm executed?

The one you define in the pool configuration.
So you can run 1 pool per user (I know some people running hundreds of pools, seems to have some limit above thousand)

Also, a good practice is to have a "foo-reader" account (for FPM, read-only) and a "foo-writer" for page update

Laptop:  Fedora 38 + rpmfusion + remi (SCL only)
x86_64 builder: Fedora 39 + rpmfusion + remi-test
aarch64 builder: RHEL 9 with EPEL
Hosting Server: CentOS 8 Stream with EPEL, rpmfusion, remi