[Nottingham] help with PHP Smarty please

Graeme Fowler graeme at graemef.net
Tue Mar 11 23:17:46 GMT 2008

On Mon, 2008-03-10 at 21:04 +0000, godfrey wrote:
> This is for a demonstration only, before the 'powers-that-be' agree to fund a 
> dedicated server.

When they do, please please please don't use mod_php. Make PHP run
through SuEXEC, suPHP or some other wrapper and consider, if you can,
developing an SELinux policy template for it. Also look at the Hardened
PHP project and the Suhosin patchset. Yes, there are execution overheads
with execute wrappers such as these, and yes, SELinux is a total dog to
get right, but your trousers are worth the work. mod_php in default
state is *dreadful* in terms of security - especially with the various
hacks you may have to put in place to make it work acceptably.

> Would I be so daft as to put live data on a shared system?

I couldn't possibly comment ;-)


More information about the Nottingham mailing list