[vox-tech] Risks of upgrading past CentOS 6 supported PHP 5.4?
Rick Moen
rick at linuxmafia.com
Thu Jun 2 00:41:20 PDT 2016
Quoting Bill Broadley (bill at broadley.org):
> >Does anyone know any downsides to using the webtatic PHP packages on
> >CentOS 6?
>
> I've seen many machines with ugly configurations related to cpanel,
> custom php installs (sometimes more than one), and fragile very hard
> to reproduce apache configurations.
>
> Although I guess I shouldn't complain, they get hacked and I get consulting.
(Sadly, this won't answer Dr. Ozeran's question, either:)
I've lately come to the conclusion, from many years as a Linux server
admin, that PHP is tolerable on a Unix machine _provided_ it isn't ever
exposed to public networks, because the ongoing security nightmare is
otherwise not justifiable. I mean, yes if management is paying you to
do it and the money's good, but if you're the boss, say 'Hell no.'
So, e.g., every Web page on my linuxmafia.com server that used to be
dymanically assembled by the PHP interpreter at Apache page-load time
are (more recently) instead built on-disk in advance using automake or a
cron script. Fortunately, none of those pages needed to _actually_ be
dynamic; it was just coder laziness that chose that implementation.
For example, the coder who helped me convert BALE
(http://linuxmafia.com/bale/) from its original mid-1990s static HTML
incarnation to PHP + MySQL set it up so every page load assembles the
page anew, from several PHP fragments plus the results of a MySQL query
(furnishing the events rows). When I realised the underlying reality of
this being static data changing only once on the 1st of each month, I
converted it into a static HTML page generated by a cron job in
/etc/cron.monthly/ , and then Apache serves up just that static file.
Whole huge categories of security threat have completely away for good,
when I ditched runtime PHP.
If I had any Web applications that actually relied on the PHP
interpreter at load time, I'd try really hard to ditch them. It really
is IMO that bad.
And I say that because, so to speak, Ranum is my guru:
http://www.ranum.com/security/computer_security/editorials/master-tzu/
That having been said: Dr. Ozeran, I know of nothing against the
Webtatic repo's PHP packages. It seems like a competent external repo
for CentOS/RHEL, though I have no relevant experience. Hope that helps!
More information about the vox-tech
mailing list