Since I have many sites running on Multisites, I am concerned about security. I am using RSFirewall and am quite happy with it so far but it has several recommendations that I wanted to make sure were compatible with Multisites before i implement them.

First, it checks all file and folder permissions to make sure they are the Joomla recommended 644 and 755 respectively. Does Multisites require any different permissions on any files and/or folders? From its initial scan, it looks like the main culprits are extensions that set loose permissions. (Which they warn about.)

Second, it recommends disabling certain PHP functions via a php.ini file that Joomla does not require. I want to make sure Multisites does not use any of these functions before I disable them. The functions are: show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open. Does Multisites require any of them?

Third, it recommends disabling allow_url_fopen in the php.ini. Will this affect Multisites?

Last, it recommends the use of the open_basedir to limit access to only specified directories. Will this cause a problem for Multisites?

Thank you for the help. JMS is a great product and well worth the purchase.

Concerning the file & folder permission, this should be OK.
JMS Multisites save the website definitions in the /multisites directory.

You can also disable the allow_url_fopen when CURL module is enabled.

We don't use the functions that you mentioned.
You can do a search in all the source to verify them yourself.

You can use open_basedir but don't forget to give the permission in both direction between the master and the slaves sites. You have to provide the path that are used by the symbolic links and the deployed directories.
Such open-basedir is something that is allready used by some hosting companies and admin tools like (plesk). So yes you can enable it but its configuration is not necessary easy.

RSFirewall also suggests moving the configuration.php file outside the public_html folder and modifying the defines.php files. Is this an issue for Multisites?

Thanks,

YES this is an issue because you hack Joomla and several extensions (not only JMS) will not more work properly.
For example the paypal notification in VM will no more work.
Several extension assume that the "configuration.php" is located in the root directory of the website.
So, if you change that, you will get trouble with plenty extensions.

Thanks for the reply.

RSfirewall's recomends moving the tmp and log folders outside the public_html folder. Is this an issue for Multisites?

Thanks again,

NO as long as the "global configuration" is correctly setup to have access to theses directories, this is OK for the master.
You need to have access to these directory to have the symbolic link functionality available. See video 6.

Concerning the slave site, JMS automatically define the /tmp and /logs in the root of the "deploy folder". If you want to change that, you can do it after the site is created.