[plug] [OT] Password security with shared web hosting

James Devenish devenish at guild.uwa.edu.au
Wed Aug 25 21:20:40 WST 2004 

Foreword: I tried to use Google to solve my problem, but apparently all
search phrases that happen to include "web" and "hosting" lead straight
to ads for every man and his dog. But I want real info. If any of you
know about this stuff (described below), or can point to intelligent
technical resources, I would appreciate the feedback.

Basically, I am wondering what people do about 'database passwords' in
shared web hosting environments where scripting is permitted. A security
problem arises when scripts belonging to a co-hosted site can read the
raw code of scripts of neighbouring co-hosted sites. One such situation
would be a UNIX Apache host -- the daemon runs as a particular UNIX user
with access to everyone's files. In the case of module-based scripts
(PHP would be a paragon of this, as contrasted with CGI), everybody's
scripts run as the same UNIX user and can thus have privileges to snoop
on each other's source code. In many cases, this source code may contain
passwords for database services. As I understand it, the only security
that exists in this situation is security through obscurity. I work
around this problem by methods such as:

 - Using a dedicated web host, thereby having no "untrustd" sites on the
   same host.
 - Using authentication systems where the user-supplied credentials are
   both necessary and sufficient, so that breach of the source code is
   insufficient to breach the databases.
 - Using application servers, where sensitive files are only accessible
   by the application server user, and the only process that can run
   with application server privileges is the application server itself,
   such that all file access is controlled through the application
   server's own security system rather than the UNIX permissions
   (Java-based hosting would be a good example of this).

My question is: how does everyone else solve this problem? Does no one
care, or am I missing the obvious?

PS. I might have known the answers to my own questions in the past, but
I seem to have forgotten.

More information about the plug mailing list