Exploring the reasons why we can’t provide shared hosting

A topic which deserves its own conversation…

Malcolm

I’m intrigued, how are the FMS documents and temp folders accessible to users over a network?

Thanks
Andy

1 Like

I was actually wondering about that one myself. :slight_smile:

Those two spaces allow all users to read/write within them. There is no sandboxing to restrict users/groups to their own little patch. Anyone able to write scripts can access the contents.

One issue I bumped into very early on in a shared hosting situation was overwriting files because the same name had been used. User A writes "my_invoice.pdf" in doc or tmp. User B writes "my_invoice.pdf" in doc or tmp. User A opens "my_invoice.pdf" and has user B's invoice.

3 Likes

Thanks Malcolm

I understand the risk of overwriting files or possibly even return the wrong file/result to the user, which is why we’d normally timestamp anything written to the documents or temporary folders to minimise this - a UUID would be better, but not suitable for our needs. We’d never use either of these locations for permanent storage either.

To clarify malicious risks. To access any data in these folders, the ‘user’ would have to have full access to a hosted database and utilise scripts to list any folders or files in these locations before being able to use scripts to access them.

This would explain why Claris allows shared hosting for SBA solutions and not standard licensing, as the person providing the SBA solutions must totally control the server and not allow any form of development modifications to the hosted solutions.

Kindest regards
Andy

3 Likes

Yes, that’s a succinct description of the risk. Plenty of hosts were allowing many different clients to host their own solutions. Of course, everyone of them had full access privileges to their own solution.

Only just seen this thread. It would seem to me that this issue would be pretty straightforward to resolve for Claris if they chose to do so.

I believe another reason is that plug-ins have access to the operating system.

I'm supportive of the "shared hosting is not best practice" attitude. The issue goes well beyond the application.

Even a well maintained system provides an inventive attacker with potential for abusing "safe" systems. If I am company "B" in a shared hosting environment and a disgruntled employee is attacking company "A" my systems will suffer too.

For me the issue is not whether shared hosting should exist, but rather that its removal increased the cost of entry to FileMaker platform by a huge amount.

In 2015 when shared hosting was still available here in the UK, you could by two copies of FileMaker Pro for £275 each and then use a shared host for £240 a year.

The entry point now is a 5 user licence at £2,160 (I used the perpetual price for a better comparison) with an annual cost starting around £500 (thanks to the arrival of Linux). The alternative Claris Cloud is £900 with a minimum of 5 users which is still a very significant increase in cost.

This is a massive barrier to entry and has resulted in many customers staying on older versions so as to continue with shared hosting which means zero income for Claris and users on older less secure versions. It is also really bad PR as many of those customers think Claris has at best abandoned them and at worst tried to extort them.

The introduction of a linux server did reduce the ongoing costs of a dedicated server and was very welcome, but it still did not resolve the fundamental issue of a customer needing a dedicated server with (according to the tech specs) 8GB Memory and 500GB disk even for only two users!

I do hope that the new licensing coming with Studio will result in the platform being more accessible, but until we see the prices we have no idea whether studio comes with a lower entry point or will be yet another price increase.

3 Likes

Well put!

FMS' severe license restrictions mean I can rarely use it. In fact, I haven't been able to use FMS for a new client in more than 5 years.

1 Like

I am recalling an old conversation with FileMaker staff (as it was called back then) on this subject.

It came down to protecting its reputation over two issues: security and performance. Server security was mentioned earlier in the thread. Server performance was as important: a poorly coded solution could easily impact all other hosted solutions on the shared server.

Both these issues could have been mitigated by a redesign of the server application. Neither solution would have been trivial. My question to all: What incentive would FileMaker, who has a fiduciary duty to its shareholder (Apple), have had to expend this effort?

Barrier to entry indeed increased. One could surmise that FileMaker chose to change its target market on the low end to workgroups with five or more users. Single-user licenses would become more expensive with the removal of peer-to-peer networking. Less-than-five user licensing costs would become more expensive with the prohibition of shared hosting.

I was about to forget… remember that shared hosting is still permitted in one case: solutions provided as a service by their editors. You are permitted to host your own solutions and make these available to your users via a server that you manage even if these users hail from different organizations. An important condition, here, is that users are prohibited from creating or modifying code.

bdbd,

Do you have a Claris reference or link for the shared hosting exception? As a CPA, I would like to share hosting for a custom accounting system for clients, whereby there would be some customization and each client would have their own database.

Certainly,

Section 1 (m) of the Claris Solution Bundle Agreement contains the exception.

Hope this helps.

Thanks. But I believe that the initial order minimum is for 10 users, but then annual renewals must be for 50 users (item 7d). I also don't know if customizing each solutions would impede the requirements. You also must be a Partner and submit your application(s) for review.

Seems like a lot of hoops to jump to have users, paying the full per user fee, to be "shared hosted". I guess that I can form another organization and make the users members of the organization.

As was mentioned earlier, Claris is not interested in pursuing small business accounts. Therefore, most SMB’s only real option is a five user license with dedicated hosting — which can easily cost $150 or more per month. That’s a big pill to swallow when Excel is basically free.

Perhaps the “freemium” model will help some small businesses see the benefits FileMaker can bring to the table.

Therefore, most SMB’s only real option is a five user license with dedicated hosting — which can easily cost $150 or more per month. That’s a big pill to swallow when Excel is basically free.

How much do you get when you use Excel for something it's not made for ? Nothing. Excel is not a database and will never be. That needs to be explained to users. Excel seems to do the job, but it's not.

1 Like

I said there was an exception. I never said it is cost effective in all cases nor did I say it was available to everyone.

The SBA is intended for vertical solution resellers, including those that want to host their solutions on a SAAS model. The SBA comes with many strings attached. One requires that each solution be vetted by Claris. Another requires the sale of a minimum number of licenses yearly. The SBA is not designed nor intended to cater to small operations.

I believe customizations are okay, so long as the editor is the only one doing the coding, hosting, support, etc. Claris vetting may still be required. That's a question to put to a Claris partner manager.

I wouldn't be too quick to dismiss the SBA. We've used it for years, and it's been really great. At the very least send an email to Claris with the intent of setting up a call with your region's SBA rep. They want to make it work.

The 50 users thing is true, but if you think you've got a decent accounting system, maybe it's worth shooting for those 50 clients? Don't they give you a year to grow from 10 to 50? And even if you have to pay for licenses you aren't using, you should actually price it out with a rep before you make any assumptions about the total cost.

The SBA agreement will make target that much easier to attain and support. Anyways, just have a conversation with them. I'll also say this: shared hosting is not the only benefit to the SBA.

Yeah this really is this issue. The problems with shared hosting were obvious. I get that it was part of a larger move in a different direction (that has born a lot of fruit). I understand/support that, but I found it borderline disingenuous how Claris always tried to force this conversation to be only about security.

Their public communications with impacted clients were just so inadequate. I don't recall there being any sense of "We understand this hurts you, and we want to help you find a way forward." Just felt like: "Deal with it".

Still in my Top 5: things Claris did to leave a bad taste in my mouth.

1 Like