My question is really about how much to expect in terms of security from a commercial web host. I've found a host (who shall remain nameless for the time being) with great prices, good features, but:
I've found what I consider to be some serious security holes in it. All HTML/PHP files on the host have to be world readable for the web server to serve them. This means that things like .htaccess/.htpasswd files have to be world readable, PHP scripts - including the passwords in them to access MySQL tables, etc. are all world readble.
The directory permissions are usually set to world exectuable, but not world readable to prevent other users on the system from at least reading the names in the directory. However, anyone can visit my site, determine filenames from the URL, then cat those files with the full pathname.
Is this kind of security problem common, should I just put up with it, or start looking for another host?
------------------
--Coop/Better Mouse Trap
In fact, it's how insecure most of them are.
You should check for a host that supports SuEXEC or cgiwrap, otherwise, all files must be WORLD readable (-rw-r--r--) including the most insecure PHP script that often use clear-text password within the script to connect to MySQL. Anyone on the same server can simply steal all the contents of other members including passwords.
With SuEXEC or cgiwrap, ther permission of a script can be as low as -rwx------ (700) and a file can be -rw------- (600).
I'm assuming that suexec or cgiwrap would set the UID's when running CGI scripts. This seems to be working correctly - if I wrote code in PERL and run it as CGI, it gets executed with the proper UID, and I can access and manipulate private files.
But if I use imbedded PHP code, I believe it's being executed as an Apache Module (good for performance) which operates as nobody. Is there any way for the PHP module to be configured to execute the .php pages as the user that owns them?
At this time, I'm not storying highly sensitive data (no credit cards), so perhaps I'll just bite the bullet and take the risk. I can at least make the database passwords independant of the shell and control panel passwords to all they could get to is my tables http://www.devshed.com/Talk/Forums/smile.gif
------------------
--Coop/Better Mouse Trap
>>Is there any way for the PHP module to be configured to execute the .php pages as the user that owns them?
I don't know much about PHP so I can't give you the correct answer but I guess the answer is probably NO. Therefore, PHP coders out there should always remember not to put clear-text username and password within their PHP scripts and thinking nobody can read their codes. Of course, PHP can be installed as CGI but the performance is not as good as an apache module. Don't forget, whatever PHP can do, Perl always can. With SuEXEC or cgiwrap enabled, everyone on the same server can't read others' file with 700 permission.
<BLOCKQUOTE><font size="1" face="Verdana,Arial,Helvetica">quote:</font><HR>I don't know much about PHP so I can't give you the correct answer but I guess the answer is probably NO. Therefore, PHP coders out there should always remember not to put clear-text username and password within their PHP scripts and thinking nobody can read their codes. [/quote]
Problem is of course that there's no other way to store the password that isn't also accessible to all users if your PHP code is running as nobody http://www.devshed.com/Talk/Forums/frown.gif
I'll avoid getting into a religious debate on which language is better http://www.devshed.com/Talk/Forums/smile.gif, but for me it's about programmer timer - I can code what I want faster in PHP in this case.
<BLOCKQUOTE><font size="1" face="Verdana,Arial,Helvetica">quote:</font><HR>With SuEXEC or cgiwrap enabled, everyone on the same server can't read others' file with 700 permission.[/quote]
I'll probably use PERL for anything that I need security for, and stick to PHP for the non sensitive tools. Thanks for the insight!