473,221 Members | 1,759 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,221 software developers and data experts.

Secured hosting on a shared server--impossible?

I'm just throwing this question out here as there hasn't been much
discussion recently on the topic of shared hosting. Most people, it seems,
just assume that it's secured. Companies don't sell services that's
insecured by design, right?

Those of us who know better know, of course, that that's not the case. Two
main challenges of sharing a server with other people are hiding your
database login/password and securing session files. Both of these are
necessitated by the fact that Apache runs as the same user for all virtual
hosts. Files that your scripts have access to, those of your server-mates
can access as well.

My questions are thus

(a) Is it possible to host a PHP site securely using a typical (read
"cheap") web hosting account?

(b) Is it possible to set up Apache so that virtual sites are protected from
one and other?
--
Project Wapache - http://wapache.sourceforge.net
Jul 17 '05 #1
10 1989
In: <oY********************@comcast.com>, "Chung Leong" <ch***********@hotmail.com> wrote:
(a) Is it possible to host a PHP site securely using a typical (read
"cheap") web hosting account?
As far as I know... not really.

You could probably set up some sort of proxy or arrange in one way shape
or form for each user to have their own private web server, not cheap but
still slightly cheaper than a VPS.

There is also setuid scripts and things, so, one could run php as a CGI
and manage it that way.
(b) Is it possible to set up Apache so that virtual sites are protected from
one and other?


I wouldn't be surprised to find out someone some place has figured out how to
get Apache (or other web server) to spawn a new child each time a request for a
given virtual host is recieved. (Perhaps with a cleanup measure) As far as I
know, there aren't any.

In theory, I should think it's possible. Still not "cheap" in terms of
server resources though. Forking a server on each request is not ideal,
but not quite as bad as CGI might be. (with the copy on write features
of fork)

Still not absolutely secure, since people can (and will) do chmod 777
on stuff.

Best solution I've seen to date is a virtual private server (VPS) You share a
physical machine, but you get your own virtual linux box. Kind of like
running several linux kernels concurrently on a machine. It's not as cheap as
shared, but it's certainly cheaper than a dedicated machine.

Couldn't do these kinds of things for $3.95/month, but $20.00/month buys
you a VPS. Not terrible considering 5-6 years ago, it was $25.00/month for
a 1/2 decent *shared* server with a fraction of the disk space and no access
to your config files or cron.

A VPS still isn't absolutely secure if your ISP has physical access
to the machine.

Jamie
--
http://www.geniegate.com Custom web programming
gu******@lnubb.pbz (rot13) User Management Solutions
Jul 17 '05 #2
Chung Leong wrote:

Those of us who know better know, of course, that that's not the case.


Not by default. But it is possible to isolate each virtual host using
openbasedir/safe_mode/safe_mode_execdir.

C.

Jul 17 '05 #3
Chung Leong wrote:

My questions are thus

(a) Is it possible to host a PHP site securely using a typical (read
"cheap") web hosting account?
No.
(b) Is it possible to set up Apache so that virtual sites are
protected from one and other?


I'm running several webservers with Apache/PHP, and I'm pretty happy
with my setup. After struggling for months with suexec, I switched to
the suPHP module (which acts as a wrapper, running php scripts as the
user who owns the script)

(using Debian GNU/Linux)

Put the websites somewhere and make them readable by the owner and by
Apache, e.g.

drwxr-x--- site1:www-data /srv/www/www.site1.com
drwxr-x--- site2:www-data /srv/www/www.site2.com

Inside put a htdocs-like directory, that's the docroot, and some other
stuff, only readable by the user, for classes, includes, secret
passwords etc... that won't be readable even in case Apache gets
compromised, e.g.

drwxr-xr-x site1:site1 /srv/www/www.site1.com/htdocs
drwx------ site1:site1 /srv/www/www.site1.com/secretlib

suPHP uses the CGI php binary. A great advance is that it's possible to
specify a php.ini per-vhost, like:

<VirtualHost 1.2.3.4:80>
ServerName www.example.com
DocumentRoot /srv/www/www.example.com/htdocs
AddHandler x-httpd-php .php
suPHP_Engine on
suPHP_ConfigPath /etc/php4/vhosts/example
</VirtualHost>

So... setttings things like include_path can be done for everyone to
point e.g. to their own ..../secretlib directory.

Be sure to switch Engine = off in the php.ini for mod_php and enable it
only when you want it (phpMyAdmin, squirrelmail etc):

<VirtualHost 1.2.3.4:8443>
Blah...

# PHP with mod_php.
php_admin_flag engine on

Alias /webmail /usr/share/squirrelmail
</VirtualHost>

When you need a mod_php-like virtualhost with https and a secure vhost
for you own scripts with https, just run them on different ports (like
suphp on 443 and mod_php on 8443 and there won't be no complaints about
the server name in the SSL certificate.

Because Apache suexec is still disabled, it's also possible to run
things like mailman etc... CGI for users can be done with cgiwrap.

Have fun!
Hans van Kranenburg

P.S. (Any comments on this setup?)

--
"He who asks a question is a fool for five minutes;
he who does not ask a question remains a fool forever"
Jul 17 '05 #4
<no****@geniegate.com> wrote in message
news:Lu************************@client.tunestar.ne t...

Couldn't do these kinds of things for $3.95/month, but $20.00/month buys
you a VPS. Not terrible considering 5-6 years ago, it was $25.00/month for
a 1/2 decent *shared* server with a fraction of the disk space and no access to your config files or cron.

A VPS still isn't absolutely secure if your ISP has physical access
to the machine.


Hmmm...I didn't know prices for VPS has dropped to such level. For my
private hobby site I'm still paying $25 a month for shared hosting. Yup, it
was set up some five, six years ago :-(
Jul 17 '05 #5
"Colin McKinnon" <co**************@andthis.mms3.com> wrote in message
news:d1*******************@news.demon.co.uk...
Chung Leong wrote:

Those of us who know better know, of course, that that's not the case.


Not by default. But it is possible to isolate each virtual host using
openbasedir/safe_mode/safe_mode_execdir.

C.


But AFAIK, most ISPs don't set up separate session path per virtual host. So
it's possible to create a session file through one site and use it in
another.
Jul 17 '05 #6
On Wed, 16 Mar 2005 19:51:05 -0500, "Chung Leong"
<ch***********@hotmail.com> wrote:
"Colin McKinnon" <co**************@andthis.mms3.com> wrote in message
news:d1*******************@news.demon.co.uk...
Chung Leong wrote:
>
> Those of us who know better know, of course, that that's not the case.
Not by default. But it is possible to isolate each virtual host using
openbasedir/safe_mode/safe_mode_execdir.

C.


But AFAIK, most ISPs don't set up separate session path per virtual host.


Did you do a survey? How did you determine that the word most is the
best word to use in this case?

So it's possible to create a session file through one site and use it in
another.


Maybe at _SOME_ ISP's. Certainly not most. Certainly not ours.

--
gburnore@databasix dot com
---------------------------------------------------------------------------
How you look depends on where you go.
---------------------------------------------------------------------------
Gary L. Burnore | ۳ݳ޳ݳۺݳ޳ݳݳ޳ݳ۳
| ۳ݳ޳ݳۺݳ޳ݳݳ޳ݳ۳
DataBasix | ۳ݳ޳ݳۺݳ޳ݳݳ޳ݳ۳
| ۳ 3 4 1 4 2 ݳ޳ 6 9 0 6 9 ۳
Black Helicopter Repair Svcs Division | Official Proof of Purchase
================================================== =========================
Want one? GET one! http://signup.databasix.com
================================================== =========================
Jul 17 '05 #7
.oO(Chung Leong)
(b) Is it possible to set up Apache so that virtual sites are protected from
one and other?


Yep. There are several ways for doing it. On one of my hosts for example
everything runs in a Jailshell and every CGI process runs with the name/
group of his owner. Of course this means that PHP has to run as CGI as
well, but that's not really a problem. And finally it doesn't require
the ugly safe_mode.

With this setup reading other people's directories is only possible if
you know the directory name and the permissions are set to at least o+r
(public readable).

Micha
Jul 17 '05 #8
Hans van Kranenburg <us**@example.net> writes:
I'm running several webservers with Apache/PHP, and I'm pretty happy
with my setup. After struggling for months with suexec, I switched to
the suPHP module (which acts as a wrapper, running php scripts as the
user who owns the script)
(using Debian GNU/Linux)

Put the websites somewhere and make them readable by the owner and by
Apache, e.g.
drwxr-x--- site1:www-data /srv/www/www.site1.com
drwxr-x--- site2:www-data /srv/www/www.site2.com

Inside put a htdocs-like directory, that's the docroot, and some other
stuff, only readable by the user, for classes, includes, secret
passwords etc... that won't be readable even in case Apache gets
compromised, e.g.
drwxr-xr-x site1:site1 /srv/www/www.site1.com/htdocs
drwx------ site1:site1 /srv/www/www.site1.com/secretlib

suPHP uses the CGI php binary. A great advance is that it's possible
to specify a php.ini per-vhost, like:
<VirtualHost 1.2.3.4:80>
ServerName www.example.com
DocumentRoot /srv/www/www.example.com/htdocs
AddHandler x-httpd-php .php
suPHP_Engine on
suPHP_ConfigPath /etc/php4/vhosts/example
</VirtualHost>

So... setttings things like include_path can be done for everyone to
point e.g. to their own ..../secretlib directory.
Be sure to switch Engine = off in the php.ini for mod_php and enable
it only when you want it (phpMyAdmin, squirrelmail etc):
<VirtualHost 1.2.3.4:8443>
Blah...

# PHP with mod_php.
php_admin_flag engine on

Alias /webmail /usr/share/squirrelmail
</VirtualHost>

When you need a mod_php-like virtualhost with https and a secure vhost
for you own scripts with https, just run them on different ports (like
suphp on 443 and mod_php on 8443 and there won't be no complaints
about the server name in the SSL certificate.
Because Apache suexec is still disabled, it's also possible to run
things like mailman etc... CGI for users can be done with cgiwrap.

Okay, so even though the suPHP is a 'module' -- you are still
basically execing another process to handle every PHP page and action?
Just want to make sure on that. The big reason we like PHP is for
busy sites and we don't want the overhead of starting another process
for each request.

About security, we normally tell folks if you want to hide
it with PHP, then put it in a MySQL database which we can lock up tight.
A lot of folks have packages which want to upload files or create files,
that can be a real problem

--
John
__________________________________________________ _________________
John Murtari Software Workshop Inc.
jmurtari@following domain 315.635-1968(x-211) "TheBook.Com" (TM)
http://thebook.com/
Jul 17 '05 #9
John Murtari wrote:
Hans van Kranenburg <us**@example.net> writes:
I'm running several webservers with Apache/PHP, and I'm pretty
happy with my setup. After struggling for months with suexec, I
switched to the suPHP module (which acts as a wrapper, running php
scripts as the user who owns the script)
Okay, so even though the suPHP is a 'module' -- you are still
basically execing another process to handle every PHP page and
action?

Yes. :(
Just want to make sure on that. The big reason we like PHP is for
busy sites and we don't want the overhead of starting another process
for each request. That's true.
About security, we normally tell folks if you want to hide it with
PHP, then put it in a MySQL database which we can lock up tight. A
lot of folks have packages which want to upload files or create
files, that can be a real problem

You still have to hide the MySQL password, but that can be done.

After all it's a trade-off. I like the extra possibilities, the security
at filesystem-user-level instead of relying on safe_mode and
open_basedir (although they're still being used) and take the
performance-drop for granted. In my situation that's possible because
the php-stuff is not the bottleneck on this server.

Hans

--
"He who asks a question is a fool for five minutes;
he who does not ask a question remains a fool forever"
Jul 17 '05 #10
In article <42*********************@news.xs4all.nl>,
Hans van Kranenburg <us**@example.net> wrote:
John Murtari wrote:
Hans van Kranenburg <us**@example.net> writes:
I'm running several webservers with Apache/PHP, and I'm pretty
happy with my setup. After struggling for months with suexec, I
switched to the suPHP module (which acts as a wrapper, running php
scripts as the user who owns the script)


Okay, so even though the suPHP is a 'module' -- you are still
basically execing another process to handle every PHP page and
action?

Yes. :(
Just want to make sure on that. The big reason we like PHP is for
busy sites and we don't want the overhead of starting another process
for each request.

That's true.
About security, we normally tell folks if you want to hide it with
PHP, then put it in a MySQL database which we can lock up tight. A
lot of folks have packages which want to upload files or create
files, that can be a real problem

You still have to hide the MySQL password, but that can be done.

After all it's a trade-off. I like the extra possibilities, the security
at filesystem-user-level instead of relying on safe_mode and
open_basedir (although they're still being used) and take the
performance-drop for granted. In my situation that's possible because
the php-stuff is not the bottleneck on this server.

Hans


http://shiflett.org/articles/security-corner-mar2004 talks about sweet
little hack you might be able to get your sysadmin to implement. I
created a local apache "include" file in my home directory that's owned
by me and with permissions 600 so only I can access it. That file
creates Apache variables with the SetEnv directive for the MySQL user
and password. Another account on the machine doesn't 'see' these
variables, so they aren't global. Since the apache startup runs as
root, it can read the protected file.

--
DeeDee, don't press that button! DeeDee! NO! Dee...

Jul 17 '05 #11

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

11
by: Mike MacSween | last post by:
My client has an MS Access database application on her local machine. I have full access to that in terms of changing the design. I've got a simple PHP/MySql application on shared hosting, so no...
3
by: Jo Davis | last post by:
www.shanje.com does sql server hosting, on shared servers, at a reasonable price. It seems. They also allow client connections. Just playing around I've managed to connect an Access Data Project...
13
by: Erick Papadakis | last post by:
hello, i am a newbie to the pgsql world, so pls bear with a possibly stupid question. i want to test out pgsql but i only have a shared hosting account. is it possible to install pgsql without...
0
by: Chris Travers | last post by:
Hi all; This seems at least somewhat on-topic here, so at the risk of seeming shamelessly self-promoting, I figured I would ask. I am the main developer of an open source CRM suite...
2
by: Carl Gilbert | last post by:
Hi I feel as if I'm fighting a loosing battle with shared hosting at the moment. I have an account with 1&1. For a whopping 16.99 a month I get 6GB of shared Microsoft hosting. I also get...
2
by: comp.lang.php | last post by:
I am in the middle of debugging a script that is hanging on "session_start()", which, if I recall, can occur if session.save_path points to a directory onto which you do not have permission to...
11
by: Marko | last post by:
I need some good hosting. I found www.webhost4life.com and I was been very happy because they give a lot of features very cheap. But I have read many bad things about this hosting, so I need some...
21
by: Herb | last post by:
Why do so many hosting services only offer PHP4? That's even true for Yahoo.
3
by: Barrie Wilson | last post by:
I have a really simple test app which consumes two public web services (one stock quote and one Amazon books collection); it works just fine when posted on my local servers but when I publish it...
0
by: veera ravala | last post by:
ServiceNow is a powerful cloud-based platform that offers a wide range of services to help organizations manage their workflows, operations, and IT services more efficiently. At its core, ServiceNow...
0
by: VivesProcSPL | last post by:
Obviously, one of the original purposes of SQL is to make data query processing easy. The language uses many English-like terms and syntax in an effort to make it easy to learn, particularly for...
3
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 3 Jan 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). For other local times, please check World Time Buddy In...
0
by: mar23 | last post by:
Here's the situation. I have a form called frmDiceInventory with subform called subfrmDice. The subform's control source is linked to a query called qryDiceInventory. I've been trying to pick up the...
2
by: jimatqsi | last post by:
The boss wants the word "CONFIDENTIAL" overlaying certain reports. He wants it large, slanted across the page, on every page, very light gray, outlined letters, not block letters. I thought Word Art...
0
by: stefan129 | last post by:
Hey forum members, I'm exploring options for SSL certificates for multiple domains. Has anyone had experience with multi-domain SSL certificates? Any recommendations on reliable providers or specific...
0
Git
by: egorbl4 | last post by:
Скачал я git, хотел начать настройку, а там вылезло вот это Что это? Что мне с этим делать? ...
1
by: davi5007 | last post by:
Hi, Basically, I am trying to automate a field named TraceabilityNo into a web page from an access form. I've got the serial held in the variable strSearchString. How can I get this into the...
0
by: MeoLessi9 | last post by:
I have VirtualBox installed on Windows 11 and now I would like to install Kali on a virtual machine. However, on the official website, I see two options: "Installer images" and "Virtual machines"....

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.