Geeklog Forums

I've recently set up a GL site at phpwebhosting.com, and I've noticed a fairly significant security issue. mod_php runs with the webserver's user and group (nobody,nobody). As a result config.php must be world readable (exposing the DB password) and the log and several other directories much be world writable (exposing the site to all kinds of attacks). I understand that issue if fundamental to mod_php and Apache, and not specific to phpwebhosting.

Has anyone found a graceful way around this? Running php as a cgi is an option, I suppose, but that just seems wrong here in 2004. A dedicated server is overkill for my needs and my budget. Are there hosting providers that offer virtual hosting with mod_php run with the client's user id? I understand Apache 2.x can do this, but I don't know how it scales and haven't found any providers running anything but 1.3.x.

Input greatly appreciated. I know lots of you are running GL sites, so you must have grappled with this. Please share how you handled it.

Thanks,
quarks

There are a lot other options that aren't too costly.

I'm currently hosted at www.imhosted.com and they have GL as installable option once you sign-up. They are fairly inexpensive and fast.

I run a fairly large site and have had very few problems.

---

Shane | www.EyeCraveDVD.com