Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Is "All PHP Options + OpCache" option safe to use?

Discussion in 'EasyApache' started by Rodrigo Gomes, Aug 31, 2017.

Tags:
  1. Rodrigo Gomes

    Rodrigo Gomes Well-Known Member

    Joined:
    Apr 6, 2016
    Messages:
    88
    Likes Received:
    21
    Trophy Points:
    8
    Location:
    Brazil
    cPanel Access Level:
    Root Administrator
    The profile "All PHP Options + OpCache" in EasyApache 4 is safe to use with shared hosting?

    I've read the documentation, but I'm not completely sure that it's safe to use this profile on a hosting with several websites.

    I also noticed that the documentation strongly recommends the use of DSO with opcache, but cPanel itself does not use DSO in that profile.
    If anyone can respond, I'd like to understand why this profile does not follow the documentation recommendations.
     
  2. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,447
    Likes Received:
    35
    Trophy Points:
    178
    cPanel Access Level:
    Root Administrator
    OpCache would require some type of persistent PHP handler, like php-fpm or DSO. It won't work with suPHP.

    As for the security of OpCache, I would think using file-based OpCaching would be more secure. But cPanel's opcache module does not allow file-based OpCache.

    A request to enable file-based OpCache has been made in the cPanel feature request section:

    Enable file-based OpCache for PHP 7.0/7.1

    But it is stuck in request purgatory.
     
    cPanelMichael likes this.
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,127
    Likes Received:
    1,366
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
  4. Rodrigo Gomes

    Rodrigo Gomes Well-Known Member

    Joined:
    Apr 6, 2016
    Messages:
    88
    Likes Received:
    21
    Trophy Points:
    8
    Location:
    Brazil
    cPanel Access Level:
    Root Administrator
    Hello @sparek-3

    Why do you think file-based caching is more secure?
    I think the opposite, if the directory is not well configured against write, file-based caching is less secure (But I'm not an expert on the subject).
    In performance yes, it should bring improvements when the opcache restarts.

    Hello @cPanelMichael

    Sorry for the lack of knowledge on this subject. I read everything, but I still can not make sure the profile is safe for shared hosting.

    I imagine that anyone who created this profile would not do it in a way that could not be used with shared hosting, which is the purpose of cPanel.
    Or at least without warning of possible security problems.

    But I would like to be sure and hear from your team if I can trust on this profile.
     
  5. Rodrigo Gomes

    Rodrigo Gomes Well-Known Member

    Joined:
    Apr 6, 2016
    Messages:
    88
    Likes Received:
    21
    Trophy Points:
    8
    Location:
    Brazil
    cPanel Access Level:
    Root Administrator
    Reading the documentation and characteristics of this profile, I can say that it uses php-fpm, suphp and seuexec. What is recommended for it to be secure in shared hosting.

    But I'd love to hear this from you guys!
     
  6. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,447
    Likes Received:
    35
    Trophy Points:
    178
    cPanel Access Level:
    Root Administrator
    Using memory objects in OpCache is going to mean that anyone using PHP from that master process would have access to those objects. So unless you are using a separate master pool for each VirtualHost (which would be a lot of master pools) then any VirtualHost would have access to OpCache objects from other VirtualHosts.

    With file-based OpCaching, those objects are written into a directory that only the owner of that VirtualHost can read. So no other users would be able to read the objects from that directory. I suppose VirtualHosts that are owned by the same user would have read access, but I really don't think that would be a huge issue.

    Some of the issues with OpCache memory objects can be found at:

    PHP :: Bug #67481 :: Opcache uses wrong file from cache

    I would also encourage you to take a look at the opcache_get_status() function when using OpCache.

    There is also some discussion on this topic at

    SOLVED - Zend OPcache and PHP-FPM

    It's been a while since I've looked at all of this. Looking through some of those posts, apparently it's been close to a year. I pretty much abandoned all OpCache work because of these issues.
     
  7. Rodrigo Gomes

    Rodrigo Gomes Well-Known Member

    Joined:
    Apr 6, 2016
    Messages:
    88
    Likes Received:
    21
    Trophy Points:
    8
    Location:
    Brazil
    cPanel Access Level:
    Root Administrator
    Hello @sparek-3 ,

    The opcache_get_status() function is easy to solve just by configuring opcache.restrict_api in php.ini.

    Maybe I'm missing something here. I was not able to reproduce this bug in cPanel version 64.
    I tried to collide two php files in different accounts using php-fpm, but it did not work.

    The only way I would imagine anyone could inject code into other accounts or read php files from other accounts would be if there were file collisions. Which does not seem to be the case these days.
    Make sure you are using opcache.use_cwd as true.

    I would still like to hear from the staff who developed this profile if it is safe to use on shared hosting.
    My biggest concern is that someone can read or execute code with user nobody.
     
  8. Anoop P Alias

    Anoop P Alias Well-Known Member

    Joined:
    Mar 31, 2015
    Messages:
    74
    Likes Received:
    10
    Trophy Points:
    8
    Location:
    Kochi,Kerala,India
    cPanel Access Level:
    Root Administrator
    Another way to use separate opcache would be to spawn separate php-fpm master for each user.

    A working solution on cPanel (centos7-systemd) is below

    autom8n.com/howtos/systemd.html#spawning-multiple-php-fpm-masters-using-systemd-socket-activation

    This would also allow setting resource limits for php per user in systemd

    The only downside I see in this is that since the master process run as user, it cannot be chrooted which is otherwise possible

    Also, You can do with current cPanel setup :
    autom8n.com/xtendweb/PHP.html#zendopcache-and-security-considerations-on-php-fpm-single-master-setup
     
    #8 Anoop P Alias, Sep 1, 2017
    Last edited by a moderator: Sep 17, 2017 at 6:08 AM
  9. Rodrigo Gomes

    Rodrigo Gomes Well-Known Member

    Joined:
    Apr 6, 2016
    Messages:
    88
    Likes Received:
    21
    Trophy Points:
    8
    Location:
    Brazil
    cPanel Access Level:
    Root Administrator
    Thanks for the suggestions, but I want to use the default cPanel profile.

    Disregarding the "possible" collision of php files (bug that I was not able to reproduce), is it safe to use this profile?
     
  10. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,127
    Likes Received:
    1,366
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Here's a quote from a previous internal case you may find helpful:

    However, note that "safe" is a very broad term and related to more than just the options enabled by default in an EasyApache 4 build profile. The following document may also provide you with some useful information:

    PHP Security Concepts - cPanel Knowledge Base - cPanel Documentation

    Thank you.
     
    Rodrigo Gomes likes this.
  11. Rodrigo Gomes

    Rodrigo Gomes Well-Known Member

    Joined:
    Apr 6, 2016
    Messages:
    88
    Likes Received:
    21
    Trophy Points:
    8
    Location:
    Brazil
    cPanel Access Level:
    Root Administrator
    Hello @cPanelMichael ,

    I studied a lot and did my own tests. And adding what I've found, and the answers I've received here, I believe that opcache is safe for use in shared hosting as long as you take some cares.

    Thanks for the answer. And the documentation sent was very helpful!
     
Loading...

Share This Page