Comments on: Using suphp To Secure A Shared Server

By: Stuart Herbert On PHP - » Using mpm-itk To Secure A Shared Server

Stuart Herbert On PHP - » Using mpm-itk To Secure A Shared Server — Sat, 19 Apr 2008 13:01:15 +0000

[...] benchmarks much better than suexec and suphp, but is still quite a bit slower than [...]

By: alfeze

alfeze — Sat, 12 Apr 2008 20:00:18 +0000

this was a very well written article - thank you!

I have been contemplating for some time and will be going with suphp however I wanted to know the effects it would have on my current customers….is it seamless transition or will clients be effected?

cheers

By: Stuart Herbert

Stuart Herbert — Sat, 05 Apr 2008 17:42:23 +0000

@Lee: There hasn’t been much interest in LiteSpeed when I’ve asked for feedback, to be honest. But I will look at it. Thanks!

@Noel: I haven’t considered FastCGI so far. The problem I perceive with FastCGI is that it’s designed to have persistent CGI processes running between page views. If you have hundreds or more sites on a single server, you’ll need a lot of extra RAM to keep the FastCGI processes running all the time.

I will look at it though. I think it would be good to try and cover as many options as possible (even if only to rule them out) so that the advice is comprehensive.

By: Noel

Noel — Sat, 05 Apr 2008 15:54:05 +0000

Have you also considered options like FastCGI in combination with mod_fcgid for example?

By: Using mpm-peruser To Secure A Shared Server | Stuart Herbert On PHP

Using mpm-peruser To Secure A Shared Server | Stuart Herbert On PHP — Thu, 20 Mar 2008 17:35:09 +0000

[...] fast as mpm-prefork (the traditional way of running mod_php) in this simplistic test, and it leaves suphp and suexec trailing in the [...]

By: Lee

Lee — Sun, 20 Jan 2008 02:06:13 +0000

I’ve tried using suphp and suexec in the past with Apache, and after all the performance problems I decided to my to the Lite Speed web server. It gives me the performance and security I want for a very reasonable cost.

By: developercast.com » Stuart Herbert’s Blog: Using suphp To Secure A Shared Server

Fri, 18 Jan 2008 14:56:00 +0000

[...] Herbert has posted about a very helpful method server admins can use out there to not only help secure their server but [...]

By: Stu

Stu — Fri, 18 Jan 2008 12:53:57 +0000

@Jan: That’s a fair point. Once I’ve finished reviewing the main options for shared hosting, I’ll put together a better set of benchmarks as a ‘head to head’ article.

@Mats: I’m planning to look at mpm-peruser next, and then mpm-itk in the article after that. ITK is interesting from a performance point of view, but the security problems it brings need careful consideration

By: Mats Lindh

Mats Lindh — Fri, 18 Jan 2008 10:53:52 +0000

I would also recommend checking out apache2-mpm-itk which is available through debian-repositories and as a source code patch at http://mpm-itk.sesse.net/ . This patch also allows you to run different virtualhosts as different users, and does not limit itself to only PHP.

By: Jan Schneider

Jan Schneider — Fri, 18 Jan 2008 09:39:25 +0000

I don’t think the benchmarks you run give a good impression about the performance impact. phpinfo() isn’t really an expensive operation. I expect the PHP initialization taking most of the time in your tests, and that’s of course more expensive with suexec or suphp.
With some real world application benchmarks, I would expect the difference becoming smaller. It’s probably still a magnitude, and the additional CPU and memory resources can’t be denied. But the tradeoff that admins have to consider when implementing such a protection is much different whether your users’ script run 25-35 times slower compared to say 5-10 times.
I don’t know if the difference would really get that “small”, but I would really be interested in benchmarks better matching real world applications.