Tom, That's quite interesting. Are you recommending a VPS solution if one can't afford a dedicated server? Are there any VPS hosts you recommend?
Thanks, Brandon -----Original Message----- From: symfony-users@googlegroups.com [mailto:symfony-us...@googlegroups.com] On Behalf Of Tom Boutell Sent: Monday, December 15, 2008 11:39 AM To: symfony-users@googlegroups.com Subject: [symfony-users] Re: Symfony on shared hosting: a security reminder I see the topic of Symfony in shared hosting has come up again. If the "shared hosting" service you are using allows you to see the files of other customers when permissions are not carefully set, you MUST NOT run the stock, out-of-the-box Symfony distribution in that environment. This is because Symfony's cache manager creates world-writable PHP scripts in the cache folder. ANY CUSTOMER of the web host could overwrite those with scripts of their own and take over your site completely. It's not "if you get hacked." It's more like "when you get hacked." Symfony's cache manager does this regardless of the permissions you have set on your project as a whole. Setting umask will not help. There is explicit code in the cache manager to override umask and make sure everything in the cache is writable by everybody. With hundreds of clients on a single box this is, of course, not safe. To be fair, Symfony does this because on some shared hosts PHP scripts run as "nobody." On such hosts there is no other way to make the cache folder work. But this kind of "working" is worse than not working at all because it is a security failure waiting only for the arrival of one untrustworthy user, or one otherwise-compromised site, on a boxful of sites that aren't yours. Some hosts, notably Pair, allow your scripts to run as your own account rather than as nobody. This is called suPHP. Often it is not turned on by default, you must enable it or ask for it to be enabled: http://www.pair.com/support/knowledge_base/authoring_development/system_cgi_ php-cgiwrap.html Unfortunately, Symfony is not set up to take advantage of it well, because of the code in the cache manager that bludgeons the permissions in the cache folder right back to world-writable status and cannot be turned off. I filed a bug on this several months ago and also provided a patch: http://trac.symfony-project.org/ticket/4412 If you must deploy Symfony in a shared hosting environment - containing other sites not built by your own company - then you must verify that at least one of the following is true: 1. GOOD: the host is using "chroot jails" for each site so that users cannot see each other's files. When you log in and type "ls /home" you don't see teeming hordes of other accounts. (Adjust /home based on what the home directory of your own account is. Also try "cd ..; ls" at the ssh command line to see whether you can see other accounts.) This can be thought of as poor-man's virtual machine hosting; you can still see other people in the process table but you can't see their files which is by far the bigger risk. If you have cheap shared hosting you probably don't have this feature, but check and see, you might be in luck. 2. OKAY-ISH: (a) the host is providing suPHP so that scripts run AS YOU, not as "nobody," and (b) you have applied my patch to Symfony. This solution works but still requires that you be vigilant and watch out for other code that might not be managing permissions well, so it's not as good. Of course, there is no warranty for my patch - it solved a problem for me once, but your results may vary. In general, if you have a choice, don't use shared hosting at all. Get "virtual hosting" (virtual machine-based hosting) if your budget does not allow for dedicated hosting. In these setups you have your own virtual operating system and no one else can see your files. File permissions go away as an issue in this situation (with regard to the security impact of other sites, anyway). NOTE ON SYMFONY 1.2: a brief examination of the 1.2 cache manager code suggests that this problem is still very much around. -- Tom Boutell www.punkave.com www.boutell.com --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "symfony users" group. To post to this group, send email to symfony-users@googlegroups.com To unsubscribe from this group, send email to symfony-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/symfony-users?hl=en -~----------~----~----~----~------~----~------~--~---
