NYCPHP Meetup

NYPHP.org

[nycphp-talk] Pair Network's "security" model - could it be this bad?

Jayesh Sheth jayeshsh at ceruleansky.com
Tue Jun 1 13:10:00 EDT 2004 

Hello all,

I have been looking for a virtual private server, or another shared 
server hosting provider.

I have been doing some research, and came across Pair Networks ( 
www.pair.com ). They have been around for quite some time (since 1996, I 
think) and seem to have a good reputation.

I was about to sign up for one of their high-end shared hosting plans 
(especially since their control panel looked both easy-to-use and 
flexible), and then I came across this bit of information buried in one 
of their FAQ pages:

------
http://pair.com/support/knowledge_base/frequently_asked_questions/security.html#4

"I was logged into my account, and when I went up one level from my home 
or Web directory, I could see everyone else's files!

This is a normal and reasonable security model. Files which are 
published by the Web server need to be publicly accessible, as the Web 
server software runs without any special privileges. Your files will not 
be subject to modification by other users on the server unless you have 
set the permissions specifically to allow that, or if the files have 
been created through CGI scripts running as user "nobody". Read more 
about file permissions.

You can protect script source code through the use of "cgiwrap", and if 
you prefer security through obscurity, you may set permissions in a way 
that blocks casual browsing by other users. Details are available in our 
Support Resources.

Being able to see a file does not mean you can modify it."

------

If I understand correctly, what they are saying is that if I sign up for 
an account with them, ANY of their other 150,000 customers will be able 
to READ all of my web files, including PHP source code and database 
passwords.

They seem to have a clumsy workaround called php-cgiwrap:

http://pair.com/support/knowledge_base/authoring_development/system_cgi_php-cgiwrap.html

I don't know, but this "security model" seems ANYTHING BUT "normal and 
reasonable" to me.

In my current setup, a domain can be mapped to a directory in a certain 
user's root directory. Only that user can access any of the files in 
that user's directory. Pair's method of hosting seems totally insecure 
and inflexible, and their workaround seems like a real pain in the you 
know where.

Does anyone else have another opinion on this?

Best Regards,

- Jay

More information about the talk mailing list