Securing Apache/PHP in Shared Hosting Environments

Every couple of years I get interested in figure out how to build a new shared hosting platform, like the one we used to run on AusGamers back in the day – we hosted over a thousand websites for things like gaming clans, hobby sites, and so on. We had a great, simple system that a few people hacked on that automatically provisioned an Apache setup, MySQL databases, and email stuff. It was basic, but it did the job and meant we were able to easily provide a system to host all those sites, which we did on a single box.

This service was completely free and not considered mission criticial; security was something we were vaguely concerned about but never really spent a lot of time on it. My big concern was the PHP processing side – on most shared hosting platforms, PHP runs in the context of the Apache process, so if you’re not really careful with your permissions you can end up creating issues between your various sites.

So every few years I rack my brain to try to remember what options I looked at last time. This time, I’m going to write them down as I come across them so I can find them again easily when I repeat the process.

The solutions I am most interested in are the ones that let Apache run with only certain permissions based on who owns the files – so you can, for example, have multiple web roots, each owned by a different uid/gid (so sites have their own user account in the host operating system), and PHP’s access is limited to each directory as it executes as that user.

Here’s what I’ve found so far, in rough order of what I’m going to try:

MPM-ITK – non-threaded so more stable but performance hit. Each vhost runs with its own uid/gid. Available in most major distro repositories (including Debian/Ubuntu). Runs as root. Last update: Apr 2009.

suPHP – Apache module + setuid root binary that changes the uid of the process running a PHP script. Last update: Mar 2009.

Peruser MPM – run each Apache process as its own uid/gid. Apparently has better performance under some circumstances, may need to use non-threaded version for better stability. Last update: Oct 2007.

muxmpm/metuxmpm – refers to this page which is a 404, no other readily available information.

Possibly to be used in conjunction with PHP’s open_basedir directive.

3 thoughts on “Securing Apache/PHP in Shared Hosting Environments”

  1. Even though it’s like using a ten ton hammer for a little bug issue, what happens if you step one process back and give a stripped down virtualized instance? I’d guess it would solve a number of other issues too …

    Was there ever any attempt to get the inter-site content sharing through triumph past the manual view editing stage?

  2. I am not aware of anything that’ll do just virtualised webservers like that (though it wouldn’t surprise me if there was something).

  3. You may like to consider something that utilises FastCGI. The shared web hosts I maintain use a modified version of mod_fcgid and a custom suexec wrapper to run PHP scripts with the UID/GID of the file owner. The PHP scripts only need to be readable to the file owner, so permissions like 600 or 400 are sufficient. With these permissions, users can’t see other peoples PHP scripts, so MySQL passwords stored in PHP scripts are quite sfe from unauthorised access. I also run PHP in a chroot environment which contains only the libraries required to run it.

Leave a Reply

Your email address will not be published. Required fields are marked *