The biggest problem with shared hosting is security. It's common for everyone's processes to run as the same "www-data" user. It can be made secure, but it isn't common and most shared hosting is powered by off-the-shelf piles of shit like cPanel which are Swiss cheese when it comes to security.
No I don't believe any shared hosting does this (at least not ones anybody pays money for). Dreamhost and Nearly Free Speech definitely don't.
This might have been true 20 years ago, but I doubt it was true 10 years ago, and definitely not today. Maybe some tiny universities had janky setups like this.
Fun fact: shared hosting providers maintained OS virtualization for Linux years before Docker existed.
I'm not quite sure but it also appears to have pre-dated cgroups. If you pack many users together on a server, you will want something like cgroups to prevent neighbors from DOS-ing each other.
This was a fork and wasn't in mainline Linux.
So they actually had MORE isolation than running as separate Unix users, not LESS.
(edit: I'm not sure exactly which shared hosting providers used such Linux kernel forks, but I'd be interested in anyone with direct knowledge. From using the shell on various shared hosting providers, I know they have pretty custom configurations with more isolation than stock distros.)
Nope, most shared hosting is still like the OP comment’s description.
Then of course you have companies like Cloudflare and Netlify where their shared static hosting is not the traditional lamp/cpanel stuff, and certainly have internally developed platforms/serving technologies where security and sandboxing is very likely top of mind.
Companies of Cloudflare and Netlify ilk are the exception, but most cheapo shared hosting (and shared hosting has to be cheap to compete), is still very much multi-tenant with security concerns across the board.
I've used 3 shared hosting providers, all of which provide SSH access. And when I ssh in, and type "ps", I see my own processes, not the processes of anybody else. They are running as a different user.
You can have unique SSH users and still have all the PHP code run under a shared user on the web server. The machine you SSH in is most likely not the same as the one running your PHP code even.
Yeah so I use Python and FastCGI with Dreamhost, which runs as a separate process and separate user.
I think mod_php (Apache shared library) is the the thing where every PHP site runs as www-data, but I thought that FastCGI was preferred these days over mod_apache. FastCGI is a separate process, which can run as a separate user, communicating over sockets.
But the original post is about STATIC websites, so this won't come into play. The main point is that you shouldn't spin up a VPS to serve static sites! You'll be burdened with maintaining the OS and web server.
Shared hosting is basically as easy as Github pages, with more choice of provider (in keeping with the philosophy of the small web).
I can't imagine that the process level is an issue here – we're not talking military, do we?
Other than that, prefer zero-knowledge designs and you can often reduce to the danger of vandalism. Have a friendly hoster and/or backups for that case.
While not military, most websites handle some kind of personal data (even IP addresses count as such for GDPR purposes) and a large chunk of the world has regulations that impose penalties or at the very least requires disclosure (bad PR) for data breaches.
Considering how easy and relatively cheap it is to get your own dedicated bare-metal server, I don't see any reason to bother with shared hosting anymore.
