NYCPHP Meetup

NYPHP.org

[nycphp-talk] Pair Network's "security" model - could it be this bad?

Jayesh Sheth jayeshsh at ceruleansky.com
Tue Jun 1 19:51:17 EDT 2004 

Thanks for the good responses and tips, Chris (Snyder).

My host does not have SFTP support, but they offer a VPN option for 
extra amount per month.

I just found this page which (humorously) refers to the two of the 
things you mentioned (using SFTP and chrooting users):

http://chrootssh.sourceforge.net/

Also, I belatedly noticed that Daniel's (Convissor) page on UNIX 
permissions is linked from host's knowledge base:

http://www.analysisandsolutions.com/code/chmod.htm

It is a good document. I really need to read up on all this "user", 
"group" and "other" stuff (!) It can get a bit confusing. Now I know why 
Windows by default is insecure - it's just easier.

The only (and scary) thing is - when I am on shared host, it's not that 
ha-ha to find out that other users could be snooping through my source 
code or db password. That's almost like open source by coercion.

I feel that webhosting providers which specialize in shared hosting 
should be upfront in the security policies they follow - and in the case 
of setups such as Pair Networks', alert users in all ways possible to 
use php-cgiwrap (or whatever other abstruse method is required) to keep 
data private.

Many non-developers (including static HTML coders and graphic designers) 
don't have the slightest idea about chroot, SSH, shell users, 
permissions and such. It seems that any webhosted interested in being 
present for the long term and in the security of its user's data would 
take a better approach.

I know, it seems like I am bashing Pair, when I fact I thought they were 
quite cool until yesterday. It could just be my ignorance on the subject 
showing - that I am perhaps more outraged at my own previously lack of 
interest (or ignorance) on the subject of security that at Pair's shared 
hosting setup.

I guess what Chris was saying was that it is the norm for shared hosting 
providers to be lax about security and that therefore it is the 
customer's job to worry about whether his data is safe.

I know, all my ranting on this subject does make me look like a paranoid 
freak (something my brother has joked about on more than one occassion). 
I am really not that way - see, I use Windows on the desktop, I don't 
dream about compiling my version of PHP, or security jails. It's just ...

Best Regards,

- Jay

More information about the talk mailing list