Files/folders permissions and ownerships: shared hosting unusable??

My first two weeks with hostgator and still testing to find out if this is a right hosting place for me.

I had a couple of concerns that were rapidly dealt with by support, although some should have never existed in the first place.

My main concern right now is the way the hostgator system is set up. I am having a lot of trouble with file/folder permissions, since according to a reply by support:
----------------
" I'm not sure.. the way our setup works is PHP operates as the webserver user... so any files created by or uploaded through will be owned by the user nobody. I"m not sure what way around this we have.
Sincerely,

Lyron Foster
Chief Technology Officer
Senior Systems Administrator"
-----------
The result of such a setting makes it quite difficult to rename, delete or move file and forlders. Moreover, it requires to CHMOD many folders to 777 to make them writable, which is a higly undesirable situation.

In this particular case, I have been a little bit disappointed by the responses I got, since the only suggestion is to switch to a dedicated server, with a much higher price tag, where having root acces will resolve the problem.

Does this means that shared accounts are basically worthless here? Moreover, since I have a reseller account, I can imagine the trouble I will have with my clients!

I know that there is a way around (I am testing right now another hosting company, where no folders need to be 777 - 755 is writable (because php runs with the same permissions as you) and am wondering why it is not implemented in here???

Love to hear comments and more explanations, befor deciding to leave from here.
Karim

[khepri]

Quote:

Originally Posted by Unregistered

The result of such a setting makes it quite difficult to rename, delete or move file and forlders.

I take it you don't use a FTP program?

You should mnot have any difficulty renaming, deleting, or moving files and folders...

The 777 issue can be handled other ways as Serra outlined elsewhere...

[Serra]

Quote:

Originally Posted by Unregistered

----------------
" I'm not sure.. the way our setup works is PHP operates as the webserver user... so any files created by or uploaded through will be owned by the user nobody. I"m not sure what way around this we have.
Sincerely,

It is a common Apache setup for scripts to run as "nobody". I'm fairly sure I would NOT want to run my stuff on a system where scripts were allowed to run with a username. That opens up a whole host of problems. Any script running under a username has FULL access to all of the files in the account. That means that anyone running a script in an account, such as a hacker, have full account level access (including email) to the account. They can change any file. This allows hackers to do far more than they could on a "nobody" system. For example, changing your 404 page is impossible if a script is running as "nobody" because it is in a 755 directory. Another problem with scripts running as a username and the reason that the community started running as "nobody" is that hackers were finding ways to runs scripts as "root". One hacker on the system is all that is needed to run a script under "root" and the whole place goes to hell. They will modify every site on the whole server to fit their needs. That is a HUGE danger, which is impossible for scripts running as "nobody".

The downside is that scripts can't change files unless the permission is 777 or upload unless the directory is 777. The danger in that is that anyone on the server can write to those files, but luckily, not the rest of the site.

Give the restrictions, the 777 seems safer because the pool of idiots that can access the site is limited. Neither is great, but there are ways around using 777, but they are a lot more work, such as CGI Wrap.

Quote:

Does this means that shared accounts are basically worthless here? Moreover, since I have a reseller account, I can imagine the trouble I will have with my clients!

No, because this is a fairly standard setup. All shared account SHOULD be setup this way. As a reseller, most clients should be aware that scripts can't run under a username and will take actions to avoid that problem.

I have a dedicated server and it is currently set to run scripts as "nobody" and I have no plans to change it. The risks are too high. There are several minimum security requirements that I HATE, but that I live with because the alternative is really bad. One of those is scripts running as "nobody" and the other is IP specific access settings to the mySQL server. Both totally suck, but without them, you're screwed.