Hi Folks,
I recently switched some of my client sites to TSO Host (https://www.tsohost.com), their "cloud" hosting. I been generally happy with the switch but have a serious concern that I'm looking for advice on.
Doing an upgrade to 7.19 of one of the sites I did a sanity check on permissions using the secruity review module. I'd set all files and folders as follows;
find . -type d -exec chmod u=rwx,g=rx,o=r '{}' \;
find . -type f -exec chmod u=rw,g=r,o=r '{}' \;
chmod -R 664 sites/default/files
find -name settings.php -type f -exec chmod 640 '{}' \;TSO however still allows www to write to all files and folders....
When I asked them about this I got the following responses;
TSO, "It has write access because everything runs under your username. It's not really a problem ".
I replied, "But surely that a security risk? From what I been able to understand anyway."
TSO, "Yes, but there is no alternative on a shared system."
I call BS here...
Finally they said, "There are two main ways to run a website. One with the script running under your username, and one whereby the webserver runs under its own username. Whether or not the webserver can write to the site files is largely irrelevant because there is usually always somewhere on a server where an attacker could write arbitrary data - and to do this in the first place requires there to be an unpatched vulnerability within the script."
All in all I find this really disturbing. Surely this is just reckless and putting the site unduley at risk of compromise? I'm not an expert so I'd really like the communities feedback on this.
I'd like to know if;
a) Is this a problem?
b) If so, what can I do to make the site more secure while still using TSO
c) If nothing, then any recommendations on a good web host... I need:
UK host prefered, SSH access, bzr and "cloud" like features allowing me to scale the resources of accounts if needed.
Appreicate the time and effort.
Cheers
Brendan