[solved] Cloudlinux PHP LSAPI "say no to suexec"
Okay well here is a question for you, I have been in a long discussion with Igor regarding suexec vs lsapi php security... Because we are using CageFS the user can only see their own files... but if you use suexec then and attacker can delete a customers site and or easily add malicious code to their files.
Because CageFS already provides the benefit of preventing a user from accessing the other users files, couldnt we just cage php lsapi and not use suexec
here is Igor's response:
You can check with LiteSpeed regarding doing LVE/CageFS without suexec. I believe they might be able to do CageFS without suexec, as they still terminate apache request after it served the request.
Either that or add a suexec ForceUID option just like you have the forcegid option... that way even though we are in suexec mode the user can be forced to something different than the user that owns the files..... this way it since suexec already work in cagefs it would be a no brainer to prevent deletion of files
But isnt it true that LVE controls dont work in suexec mode? so wouldnt my above recommendation of CageFS +php lsapi work with LVE???
Last edited by NiteWave; 09-24-2012 at 07:21 PM..
|
Threaded Mode