In response to some comments yesterday: > Links to HOWTOs on shared hosting and Symfony
Just read these. None of them address the security consequences of setting files to be 666/777 or the fact that some shared hosts, notably Pair, *do* make other people's folders visible in the file system. We were surprised by that too, and not too happy when a pair tech expressed concern to our client about the world-writable directories involved in Symfony. When I set out to address this, I found that sfFileCache makes matters worse by forcing the umask to zero and forcing 666/777 permissions on everything without the option to configure things differently. I submitted a patch to allow safer use of Symfony in these situations yesterday: http://trac.symfony-project.org/ticket/4412 Virtual servers and physical dedicated servers are of course better, but if you must deploy in a shared environment where files of other users are visible, insist that the host give you setuid PHP and use this patched sfFileCache to remove the risk of having your site taken over when if PHP files in your cache dir are overwritten by hostile sites, as they readily can be. Also call umask(0077) in config.php. umask has a purpose, please don't override it willy-nilly all over the place. I'm still seeing some unnecessary world-writable stuff when files are uploaded via FCK or the admin generator but I haven't thoroughly investigated those issues yet. -- Tom Boutell www.punkave.com www.boutell.com --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "symfony users" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/symfony-users?hl=en -~----------~----~----~----~------~----~------~--~---
