Apache2 security theory; mod_php versus CGI php and the use of suExec: What is the non-theoretical problem with running Apache2 with mod_php and thus without using suexec on a dedicated system?
I'm setting up a typical LAMP environment. I've used phpsecinfo
to evaluate my current environment and implemented all of the recommended changes except for two, Group ID
and User ID
The distribution is the most recent Ubuntu Server with the mostly-default Apache2 configuration, and the mostly-default PHP installation, with the exception of the changes recommended by phpsecinfo
These warnings indicate that my group and user ID numbers are below 100 (33 to be specific), and therefore may be a problem. I am not sure how to interpret this.
I followed the documentation links and was about to implement SuExec when I realized that this meant doing a lot of other reconfiguration, like not using mod_php, and that meant changing a lot of other
This is not a shared system. It will only be used to host one company's applications through several virtual hosts. The applications will be PHP-based, and most frequently will use the Symfony
framework. Apache currently runs as www-data, whose shell is /bin/false. SSH access to the system is by public-key authentication only and is further restricted at the daemon level to only specific real users.
What do I need to do to run this securely? Resources, guides and real-world examples would be greatly appreciated.