Via mod_php
The packages offered by Server4u and all-inkl are more of an exception. These providers use mod_php and consequently allow their web space customers easy but only basic PHP configuration via .htaccess files in the web directory. These .htaccess files can only control two of the major PHP security options. Apart from protecting web space through regular HTTP authentication, a .htaccess file placed in the web root and containing
php_flag register_globals off
php_flag display_errors off
is pretty much all the user can do for security in the mod_php environment. As is the norm for .htaccess files, its settings will apply to any subdirectories present.
However, in this implementation all PHP scripts use the user and group ID of the web server process. Since this process requires far-reaching read privileges for accessing web directories, this may have severe consequences for other server users or even the server itself in case of an attack.
However, providers usually employ different protective mechanisms in such cases, for example more highly specified access privileges and chroot jails. Provider all-inkl, for example, restricts PHP file access by setting open_basedir for the customer's directory.
This table provides another overview of which security options can be set where:
security option | PHP default | php.ini | .htaccess |
allow_url_fopen | on | yes | no |
allow_url_include1 | off | yes | no |
display_errors | on | yes | yes |
open_basedir | NULL | yes | no |
register_globals | on | yes | yes |
safe_mode | off | yes | no |
sql.safe_mode | off | yes | no |
1from PHP 5.2.0 |