Re: shared hosts and MP2 security

[prev] [thread] [next] [Date index for 2004/12/24]

BTW, please wrap your paragraphs to max 80 characters, unfortunately many 
email clients still can't properly wrap longer lines at display or quote time.

> PHP workarounds this problem with the OPEN_BASEDIR directive. I don't know how secure this is, but it seems it works 

No it doesn't. As I wrote, a quick google will show this. Trying to limit 
access that way without using system user accounts is like playing 
whack-a-mole, there'll always be ways around that like in 
http://secunia.com/advisories/13023/ .

All the cheap mass-hosters that I've seen simply have no secure separation 
of customers. They pretty much all run their customers' processes with the 
same user account, whether it's plain Apache, CGI or PHP.

> I think that's the reason PHP is so widely spread among shared web hosts

While some admins may believe in snake oil like open_basedir, there are 
other reasons for that. Including the fact that MP is basically useless for 
cheap mass-hosters because Perl can't really unload code, which just uses 
too much RAM. PHP on the other hand can't cache code out of the box, which 
is lame for dedicated servers, but for this kind of scenario is better. Of 
course some or many mass-hosters just run PHP in CGI mode, like they do with 
plain Perl CGI.

Also, having a big but limited set of PHP-bundled libraries that everybody 
uses is more practical for web hosters than having to install much of CPAN, 
or doing CPAN module installs on request.

        -- 
        Report problems: http://perl.apache.org/bugs/
Mail list info: http://perl.apache.org/maillist/modperl.html
List etiquette: http://perl.apache.org/maillist/email-etiquette.html