Thursday, January 15, 2009

Shared Web Hosting

My experience to date setting up Linux and Apache web servers has been with dedicated servers. A server for shared web hosting service presents some new problems I have not had to deal with before, with security between sites at the top of the list.

Many web applications expect to have write access to the file system. Since the applications are running as the Apache user (www-data in Debian), a malicious application could write anywhere that www-data can write, and take over another site. I am researching best practices for setting up shared hosting environments and so far Apache modules suEXEC and suPHP are the common approach. The idea is for Apache to change to the user that owns the files before accessing the data. There are some problems with this approach. One is that the applications can only run as CGI which is not very efficient. Another problem is that the user must be a real user on the system which opens other security concerns.

So far I haven't found a definitive guide for setting a shared hosting server. I bet there is one out there so I'll need to google some more, but I'm done for the day.

No comments:

Post a Comment