Security on a shared hosting server

Forum Moderators: coopster

Message Too Old, No Replies

Security on a shared hosting server

security shared hosting

dcompiled

5:29 pm on Aug 20, 2009 (gmt 0)

I have a content management system that creates folders in within my website root folders. Because PHP runs as user/group nobody:nobody, I have had to resort to using 0777 permissions on the folder (/home/myusername/public_html/thefolder). This is undesirable because it poses a security risk. I'm no *nix expert so I was wondering if someone could explain how easy it would be for someone to modify files within this folder.

Have others had this same problem and could share a solution? The only idea I have left would be to set the PHP script to run as myusername but I'm not skeptical that would be possible in a shared hosting environment.

dcompiled

5:42 pm on Aug 20, 2009 (gmt 0)

I think I have a solution that might work using the sticky bit. I read somewhere else on the forum its possible to set a directory to force permissions on all objects created within it. Assuming I could get this working, I need to know if having a folder with group=nobody and user=myusername set with permission 0775 is any more secure than using 0777 permissions.

dcompiled

4:30 pm on Aug 21, 2009 (gmt 0)

bump..

SteveWh

7:53 pm on Aug 23, 2009 (gmt 0)

I'm not an expert on this, either, but my understanding is that with permissions at 777, it means that a PHP script on another website on your shared server (including a malicious PHP script, such as if that other site gets hacked) could potentially add/delete files in the folder, and might be able to modify any files in it that have permissions of 666.

What I think is most important about this is that all this relates to activities on the server itself. 777 doesn't mean that anybody anywhere in the world can reach into your site and change files, unless they gain entry to one of the sites there first, which is a different issue.

777 makes you somewhat dependent on the quality of the security of the other sites on your server. If the other sites are well maintained, you're safer than if the server has 500 blogs all running outdated WordPress versions.

When PHP is running as nobody, I'm fairly sure there's nothing you can do within your script to change that, so that's not worth pursuing.

I'm skeptical that the idea in your second post will solve the problem, but part of the reason I'm posting this message is to follow other replies you receive. My reasoning is this: if you set the folder group to nobody, it means that PHP can write to it because it's in the nobody group, but PHP running on anybody else's site on the same server will also be running as nobody, so you haven't really added any security. Or to put it another way, to allow PHP to write to the folder, you MUST make it writable by PHP, but PHP runs as the same user no matter which website is running a script. It only has one identity, so there's no way you can allow PHP to modify your folders at some times but not others.

I hope nothing I've said is totally wrong, or if it is, that someone will step in and correct it.