On Thu, 18 Sep 2008, Tom Boutell wrote: > Therefore my conclusion, so far, is that running Symfony on a shared > host is not a safe choice, but that's probably true for pretty much > any PHP site - Symfony based or otherwise.
Or Rails-based. Or Python-based. Web server software typically doesn't run as the owner of the site and the files need to be readable to "nobody" (or "apache" or "www"). This is a "problem" for pretty much any web site that uses some form of scripting and/or database. > If you want to be even > remotely safe, you must either use (1) suPHP or some other setup where > PHP or all of Apache runs "as you," (2) a virtual machine (you have > root and no one else can see your file system at all), or (3) a > dedicated physical machine. (1) Is not really much safer, because any potential security hole in the web server software would give an attacker read access to your files too. (2) Same here as (1). (3) Probably OK (assuming the machine itself isn't cracked). > This is so unpleasant, it seems like it must be overstating the case. > Many reputable providers (pair.com, for instance) provide many tiers > of shared hosting plans with increased features at each level, etc. > etc. Can it really be true that it's all completely unsafe from the > get-go? Or am I missing something? Generally, users on shared hosts are segregated from each other so you can't just login to a server and copy someone else's files. That leaves the web server sofware as the only attack vector. Assuming the provider keeps it's software (and OS) up to date, it usually not a problem. Of course, even with a dedicated server, nothing is ever 100% perfectly safe but its the best solution so far. Of course, the "big sites" run their own server farms with firewalls and load balancers so pretty much everything is locked down and fairly secure. Dedicated hosts are expensive though so look at virtual servers. Ive started using virtual servers from linode.com ($20/month) and recommend them highly (Im just a customer). -- A --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "symfony users" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/symfony-users?hl=en -~----------~----~----~----~------~----~------~--~---
