...or php.ini for that matter. Security risk?

Trying out a new host. Turns out they run php as CGI (suexec) so I cannot effect any PHP settings via .htaccess. So, no problem - they kindly set me up with a custom php.ini with my requested settings.

This php.ini file sits in the web root however and is downloadable to the public simply by typing in the path to it. This surprised me for some reason, and I brought it to their attention. Was told that the file poses no threat to server security. Was also told that it would not reveal anything that wasn't in phpinfo. (but I wasn't planning to share that with the world either!)

So I am wondering now, should I be concerned or am I just being paranoid? :rolleyes:

The reason I wonder if it's just me is because this company is not fly-by-nighters or basement kids. They have an excellent reputation and provide great support. They are established and apparently well-liked by their client base, which is what drew me there in the first place.

php.ini in the root?? urm..... ok...

hataccess diabled?... urm... ok....

why not tell your host to put your database info on the index page as standard?

next thing ya know, they'd not have cron or ssh...

if that's the case, change host, that host sounds like an 8 year old experimenting with his adsl connectioned pc...

Do they also set all of your file and directory permissions to 777 by default or do you have to pay extra for that? :D

well thanks for that nightfire, but I can assure you the provider is not some 8 year old. They are pretty well established and very popular with their client base.

suexec has been implemented to increase security in a shared environment which is a big concern of theirs. Some background here: http://httpd.apache.org/docs/suexec.html

.htaccess is not disabled... you just can't change php settings via .htaccess unless php is running as a module. I can still use .htaccess for just about everything else.

and the web root is not an invalid place for the for the PHP interpreter to find the php.ini file. In fact it will look to the web root before using the web server's defaul php.ini, which is why it's placed there.

Spookster :D

Actually running under suexec, any 777 script will generate an Internal Server error as far as I know. Even scripts that had those settings previously need to be changed to 755

that someone can see your php.ini is not entirely a concern as there wont be anything in there of use except maybe the session save path , & unless the server-admin is very sloppy that in itself is not a problem + it does give the bad guys some inkling of what modules you have installed known vunerabilities ... etc , truth is that in reality I dont see it as a big security risk though its strange that a proffessional host would suggest this in the first place.

but more of a worry to me would be that a proffessional host would consider running PHP as a CGI as opposed to a server module ?

Hi Firepages - Thanks

Yes that's surprised me... I was not expecting that at all.

Last year I guess they went with this suExec deal on all servers for security purposes in the shared environment. As a result I couldn't tweak my own settings via .htaccess, thus the need to request my own php.ini.

Might be a well-known host for security and stuff, but I don't think that'll be a host I'll ever go to, it's giving ppl too much info to be able to exploit the service.. cgi installation and php.ini in the root is too risky for me

most hosts (or all that i've known) have the php.ini in a directory wayyyyyyy out of harms reach,even out of reach from you... but allow you to use htaccess to change settings in apache.

If I didn't have 100% freedom in what I want with my server/webspace that I'm paying for, I'll go to someone who gives me that, or go to a free host that gives me loads of restrictions.

<edit>Not saying you've been ripped off, or that your server's insecure, just saying I wouldn't trust it... yes, I am paranoid when it comes to security, as alot of info on my sites are confidential</edit>

Originally posted by Nightfire
Might be a well-known host for security and stuff, but I don't think that'll be a host I'll ever go to, it's giving ppl too much info to be able to exploit the service.. cgi installation and php.ini in the root is too risky for me

most hosts (or all that i've known) have the php.ini in a directory wayyyyyyy out of harms reach,even out of reach from you... but allow you to use htaccess to change settings in apache.

If I didn't have 100% freedom in what I want with my server/webspace that I'm paying for, I'll go to someone who gives me that, or go to a free host that gives me loads of restrictions.

<edit>Not saying you've been ripped off, or that your server's insecure, just saying I wouldn't trust it... yes, I am paranoid when it comes to security, as alot of info on my sites are confidential</edit> Understood, thanks for taking the time to reply. Any host running php as a module would have no need to provide custom php.ini files, thus the server default would be used (and manipulated through .htaccess). Yes far out of the way. Even though the custom php.ini is in my web root, I do not have access to edit it. It can only be done through them (which they are perfectly willing to do should I request a change)

I definitely have not been ripped off. I still have over 20 days to close the account and get my money back, and I have not transferred a single domain to the space yet. Just feeling it out :thumbsup: I knew exactly where to come for advice.