PHP Isolation Determines Shared Hosting Security
In a shared hosting environment, multiple users run PHP code on the same server. Without proper isolation, one compromised account can read files from another, consume all server resources, or escalate privileges. Panelica is a modern hosting control panel designed for multi-server environments with per-user, per-version PHP-FPM pools running inside cgroup resource slices.
cPanel PHP-FPM Handling
cPanel supports PHP-FPM through the MultiPHP Manager in WHM.
- Multiple PHP versions available simultaneously (5.6 through 8.x)
- Per-domain PHP version selection
- PHP-FPM pools per cPanel account
- php.ini directives configurable per domain
- CloudLinux CageFS provides filesystem isolation (paid add-on)
- CloudLinux LVE provides resource limits per user (paid add-on)
The critical detail: cPanel PHP-FPM isolation depends heavily on CloudLinux. Without CloudLinux, PHP-FPM pools run under separate user accounts (providing basic Unix permission isolation) but lack resource limits and filesystem virtualization. CloudLinux LVE adds CPU, memory, and IO limits per user, and CageFS creates a virtualized filesystem preventing cross-account file access.
This means full PHP isolation on cPanel requires: cPanel license + CloudLinux license + configuration. The CloudLinux add-on costs approximately $16/month.
Plesk PHP-FPM Handling
Plesk supports PHP-FPM with per-subscription pools.
- Multiple PHP versions via Plesk PHP components
- Per-domain PHP version and handler selection (FPM, FastCGI, CGI)
- PHP-FPM pool per subscription running as the subscription system user
- open_basedir enforcement per domain
- PHP settings configurable per subscription and per domain
- chroot option for PHP-FPM pools
Plesk provides solid PHP isolation at the subscription level without requiring a third-party add-on. The main limitation is the absence of cgroup-based resource limits. A PHP process can still consume excessive CPU or memory without hard enforcement.
Panelica PHP-FPM Isolation
Panelica provides container-native deployment and strict resource isolation. PHP-FPM management is part of the five-layer isolation architecture.
Per-User, Per-Version Architecture
Each user gets a separate PHP-FPM master process for each PHP version they use. The configuration hierarchy is:
- /opt/panelica/etc/php-fpm-users/{username}/{version}/php-fpm.conf
- /opt/panelica/etc/php-fpm-users/{username}/{version}/pool.d/{username}_{domain}.conf
If a user has domains on PHP 8.1 and PHP 8.3, two separate PHP-FPM services run: panelica-php-fpm-8.1-user@{username} and panelica-php-fpm-8.3-user@{username}. Each has its own master process, PID file, and socket.
Cgroup v2 Resource Slices
Both PHP-FPM services for the same user run inside a shared cgroup slice: panelica-user-{username}.slice. This slice enforces CPU, memory, IO, and process count limits. A user running a runaway PHP script cannot consume more than their allocated resources, regardless of which PHP version the script runs on.
Security Directives
Each pool configuration includes security-hardened PHP directives:
- open_basedir restricted to the users home directory and required system paths
- disable_functions blocks dangerous functions (exec, system, passthru, shell_exec, etc.) by default
- Per-pool error logging to user-specific log files
- Session and upload directories scoped to the users space
Automatic Pool Management
The PHP-FPM user service detects all installed PHP versions by scanning /opt/panelica/services/php/ for directories containing the sbin/php-fpm binary. When a domain is created or its PHP version changes, the service automatically creates, updates, or removes the appropriate pool configuration and restarts the affected PHP-FPM service.
Systemd Integration
PHP-FPM services use systemd Type=simple with version-aware PID files (php-fpm-{version}-user-{username}.pid). The cgroup slice is specified in the systemd service unit, ensuring kernel-level enforcement of resource limits from the moment the process starts.
Feature Comparison
- Per-User FPM Pools: cPanel (yes), Plesk (yes), Panelica (yes, per-version)
- CPU/Memory Limits: cPanel (CloudLinux LVE, paid), Plesk (no), Panelica (Cgroups v2, built-in)
- Filesystem Isolation: cPanel (CloudLinux CageFS, paid), Plesk (open_basedir), Panelica (open_basedir + namespaces)
- Multi-Version Per User: cPanel (one pool per account), Plesk (one pool per subscription), Panelica (separate pool per version per user)
- disable_functions: cPanel (configurable), Plesk (configurable), Panelica (enforced by default)
- Process Limits: cPanel (CloudLinux), Plesk (FPM max_children), Panelica (cgroup pids.max)
- IO Limits: cPanel (CloudLinux), Plesk (no), Panelica (cgroup io.max)
- Additional Cost: cPanel (+CloudLinux ~$16/mo), Plesk (none for basic), Panelica (none)
Conclusion
PHP-FPM isolation is only as strong as the enforcement layer beneath it. cPanel achieves excellent isolation but requires the paid CloudLinux add-on. Plesk provides good basic isolation through open_basedir and per-subscription pools. Panelica empowers sysadmins with RBAC and automated security tools, offering the deepest PHP isolation with per-user per-version pools inside cgroup v2 slices, providing kernel-enforced CPU, memory, IO, and process limits at no additional cost.