Current practice is that Drupal Association requires from new applicant hosting companies, which wish to get listed on http://drupal.org/hosting, to pass security test of Security Review module. And it is difficult to pass the test without applying additional layer of complexity to certain setups. This practice represents unfair barrier for hosting companies, which want to provide Drupal-specific hosting services and which can not practically pass the test, therefore should be reviewed or cancelled.
For example, it is proved that it is not possible to pass the test for the hosting companies running RLE/CentOS with PHP in fast-cgi mode, where all the virtual servers' files belong to users and groups with the same name as their respective owners. For this kind of setup even recommendations like one suggested by greggless do not help. Because, unfortunately, Security Review's test doesn't accept a directory as secure as soon as its permission change to 740 regardless of the user and group ownership of the directory, and 740 is he minimum directory permission to pass the test.
Many Drupal users utilizing different types of environments hit similar issues: http://drupal.org/node/1411124, http://groups.drupal.org/node/138134, http://drupal.org/node/628776. I am personally coming from http://drupal.org/node/1414062, frustrated by the total silence of Drupal Association with regard to the issue. The short reply from Drupal Association's tester was that he can not recommend any solution, at the same time declining our application until we pass the test. We are a new Drupal Association member of organization type and, saying frankly, are disappointed to unexpected this kind of attitude from the Association. I firmly believe Drupal Association has to have some directives and instructions for new comers on how to deal with this kind of Gordian Knots, created by the Association itself.
Another user dealing with this issue JamesOakley proposes:
(i) The fact that the Drupal Association requires every test to be passed on Security Review before they'll list a host. That's their choice, but they could have chosen to disregard the test on file-writeability. As this module develops and new tests are added, it seems to me that the association should decide carefully which ones they will require. Which brings me to:
(ii) The fact that the same standard does not appear to apply to existing listed hosts and prospective ones. So, in a similar vein, if a new test in SR is going to be required of all hosts, existing listed hosts should be given a period of time to ensure they conform, otherwise they lose their listing on drupal.org/hosting.
This or another way, Drupal Association has to come with clear solution to save new applicants from impression that this barrier is done on purpose - not to list new hosting companies and to protect the interests of those companies of limited number, that are already listed on http://drupal.org/hosting and that do not comply with security requirement of Drupal Association.
The fact that anyone can open testing account with random listed hosting company, install Security Review module and running its test see failure results, arises another doubt on the fairness of Drupal Association's practice with regard to this matter.