From owner-freebsd-questions@FreeBSD.ORG  Thu Jul  9 10:22:20 2009
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 09CB1106564A
	for <freebsd-questions@freebsd.org>;
	Thu,  9 Jul 2009 10:22:20 +0000 (UTC)
	(envelope-from nicolas@nicoelro.net)
Received: from mail.nicoelro.net (helm.nicoelro.net [87.98.216.147])
	by mx1.freebsd.org (Postfix) with ESMTP id BDB1D8FC19
	for <freebsd-questions@freebsd.org>;
	Thu,  9 Jul 2009 10:22:19 +0000 (UTC)
	(envelope-from nicolas@nicoelro.net)
Received: by mail.nicoelro.net (Postfix, from userid 58)
	id BFD8478D3F; Thu,  9 Jul 2009 12:22:18 +0200 (CEST)
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on helm.nicoelro.net
X-Spam-Level: 
X-Spam-Status: No, score=-4.5 required=6.0 tests=ALL_TRUSTED,AWL,BAYES_00
	autolearn=ham version=3.2.5
Received: from belegost.nicoelro.net (unknown [93.1.201.175])
	(using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits))
	(No client certificate requested)
	(Authenticated sender: nicolas@nicoelro.net)
	by mail.nicoelro.net (Postfix) with ESMTP id C354678C19;
	Thu,  9 Jul 2009 12:22:17 +0200 (CEST)
Date: Thu, 9 Jul 2009 12:22:12 +0200
From: Nicolas Letellier <nicolas@nicoelro.net>
To: "Reko Turja" <reko.turja@liukuma.net>
Message-ID: <20090709122212.658bcc24@belegost.nicoelro.net>
In-Reply-To: <EA9FE81A7F144C89AFCD0E9390FD69FC@rivendell>
References: <20090709113534.43373278@belegost.nicoelro.net>
	<EA9FE81A7F144C89AFCD0E9390FD69FC@rivendell>
X-Mailer: Claws Mail 3.7.1 (GTK+ 2.12.9; i486-slackware-linux-gnu)
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Cc: freebsd-questions@freebsd.org
Subject: Re: Secure apache with php
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Jul 2009 10:22:20 -0000

Le Thu, 9 Jul 2009 13:18:39 +0300,
"Reko Turja" <reko.turja@liukuma.net> a =E9crit :

> > I want to secure my Apache/PHP environment...
>=20
> Full suhosin, both patch and mod for the PHP. IIRC suhosin patch is=20
> optional in PHP port and the mod can be installed via ports.
> (http://www.hardened-php.net/suhosin/index.html)
>=20
> Apache environment and binaries set up in a jail.
>=20
> > Which Apache version do you advice?
>=20
> I reckon these days 2.2 would be the best in regards of future=20
> upgrades and development.
>=20
> -Reko=20
>=20
Thanks. I already use suhosin patch in mod_php.

I have few users on this machine, each use a separate directory
(/var/www/user). I do not want to make a jail for each one.

That's why mpm-itk seems to be good (instead of safe_mode /
open_basedir).

Best regards,



--=20
Nicolas