On Sep 18, 10:09 pm, "Tom Boutell" <[EMAIL PROTECTED]> wrote:
> We are evaluating whether it is possible to deploy Symfony on a shared
> hosting server in a reasonably safe manner.
>
> So far my impression is that it can't really be done in a typical
> shared hosting environment. This is because Symfony needs to write to
> the cache folder, and the cache folder must be writable by "nobody."
> And our user account on the shared hosting server can only grant that
> permission by making the cache folder world writable.
>
> Since the cache folder is mapped into web server space and is visible
> in file system space to all of the other hosting customers on the box,
> this means that any customer on the box can simply modify the PHP
> files there to do whatever they'd like and then access our potential
> client's site in order to invoke them. Boom... we're pwn3d. (:
>
> There is a newer technique for executing PHP scripts called suPHP
> which allows PHP scripts to be invoked as the owner rather than as
> nobody, however this involves the overhead of running PHP as CGI and
> most shared hosting companies just don't offer it.
>
> * * *
>
> "World-writable" seems to be only part of the problem.
> "World-readable" is the other half. Some PHP applications avoid the
> filesystem entirely, relying entirely on the database. But your
> database password has to live in a PHP file somewhere, and that file
> has to be readable by nobody... which means that anyone else on the
> shared hosting server can get into your database and do whatever they
> darn well please.
>
> * * *
>
> Therefore my conclusion, so far, is that running Symfony on a shared
> host is not a safe choice, but that's probably true for pretty much
> any PHP site - Symfony based or otherwise. If you want to be even
> remotely safe, you must either use (1) suPHP or some other setup where
> PHP or all of Apache runs "as you," (2) a virtual machine (you have
> root and no one else can see your file system at all), or (3) a
> dedicated physical machine.
>
> This is so unpleasant, it seems like it must be overstating the case.
> Many reputable providers (pair.com, for instance) provide many tiers
> of shared hosting plans with increased features at each level, etc.
> etc. Can it really be true that it's all completely unsafe from the
> get-go? Or am I missing something?
>
> Thanks for your input folks!
>
> --
> Tom Boutell
>
> www.punkave.comwww.boutell.com
Have you read these links
http://trac.symfony-project.org/wiki/Deploying1.0ToASharedHost
http://trac.symfony-project.org/wiki/InstallingSymfonyOnSharedHostNoSsh
http://trac.symfony-project.org/wiki/HowToRedirectPublicHtmlToWebFolder
and this
http://trac.symfony-project.org/wiki/HostsSupportingSymfony
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"symfony users" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/symfony-users?hl=en
-~----------~----~----~----~------~----~------~--~---
