Written by BurinaTec
Category: Web Hosting
Why CGI/FastCGI SAPI - PHP security!
In most cases, shared hosting services inplement the technique known as "virtual" hosting. This means that many web sites share the resources of the same server, both hardware and software-wise. Apache web server, like many others, serves by default all the sites using the same system username. On the majority of entry-level hosting platforms the PHP interpreter is implemented as an Apache shared module (DSO), which optimizes the performance and allows a large number of web sites to be hosted.
A technical detail that hosting providers usually don't eagerly share with the customers is the fact that in such environment all the PHP scripts owned by many different users work under exactly the same system "identity", thus being able to read each others files, even those with sensitive data such as database names, usernames and passwords. No matter how well the web site is protected from the outside world, in this scenario it stays completely vulnerable to the potential malicious activities of another users on the same server.
At the expense of several percent of maximum performance, Burina.NET Web Hosting service implements additional techniques that enable PHP scripts to be executed, like CGI scripts, with the privileges of their owners, i.e. the username used to set up the content of the site. In this way, one of the greatest security issues of common, shared platforms has been completely eliminated.
To protect your PHP script that contains sensitive information (for example the configuration file containing your database credentials), you need to set its filesystem attributes so only the owner can read it or write to it. This can be achieved in several ways, depending on your FTP client or whether you have a shell access enabled.
In most FTP clients, for each file on the remote server there's an option to set the privileges, divided into three groups of three flags. The groups are: owner, group and others. The flags are: read (r), write (w) and execute (x). In such FTP clients, you should set the privileges for the file like so:
The final representation of these privileges could look like this: "rw-------". This means the owner can read and write, group and others can't.
To achieve the same result in the command prompt of your FTP client or shell terminal, you can type:
chmod 600 filename.php