[BlueOnyx:19476] Re: Document Root and Out of /Web access

[Richard Sidlin]

> 
> Hi Richard,
> 
> > I have been asked by a new client the following:
> >
> > "Could you please let me know the DOCUMENT_ROOT for the website". I
> > presume this is the /web folder. Can this be changed if necessary and
> > is there a good reason to do this?
> >
> > "Second concern is regarding your downloads, they are stored outside
> > of main web directory for security reasons. Most of shared hosting do
> > not allow for anything to happen outside of web directory. Please
> > could you confirm with hosting company it is possible?" Is this possible
on a
> BO server?
> 
> For a better explanation I'm going to distinguish between Vsite
> DocumentRoot and "what do I have access to".
> 
> The /web directory is the Vsite's DocumentRoot. This is where Apache has
> access to. Anything in /web and thereunder is accessible from the outside.
> Naturally you can throw in access restrictions such as password protection
for
> the entire /web or directories within it.
> 
> And yes: Sometimes it might be practical to hide content outside of the
/web
> directory to prevent direct access to unfiltered or critical data.
> There are many ways how this can be done. A good solution would be that
> the data is in a MySQL database and is only presented to the intended
> people after proper authentication.
> 
> Another way is to "park" data one step above the /web directory. And when
> this data is needed, a PHP or Perl script reads it, parses it and presents
the
> parts that you want to be displayed.
> 
> This largely depends on "what do I have access to". There we need to
> distinguish between PHP and Perl (and to a lesser extend Python and
> others).
> 
> We can configure PHP pretty restrictively. And by default we do. The only
> directories a PHP script has access to (if called via Apache) are:
> 
> /home/.sites/106/site15 <-- The root directory of an example Vsite
> /tmp/	<-- R/W access to temp directory.
> /usr/sausalito/configs/php/ <-- Read only /var/lib/php/session/ <-- R/W
> access for session cookies
> 
> Lastly: PHP scripts only have access to files and folders in the above
> mentioned directories if these files and folders are owned by the same
user
> that Apache uses for the Vsite. That would typically be the Vsite admin
> configured under "Web Ownership" of that Vsite.
> 
> So if you create a folder under /home/sites/www.domain.com/secretstuff
> and chown it to the "Web Owner" of that Vsite, then PHP scripts of that
Vsite
> would have access to the data there. But you couldn't access this
directory
> via a direct URL call, as it's outside the /web directory.
> 
> That is probably what you are looking for.
> 
> As far as Perl is concerned: Perl is really difficult to lock down this
way.
> Generally Perl scripts will have access to anything that user "apache" (or
the
> user who Apache runs under) has access to. However, if you want to allow a
> user to manage his "secretstuff" folder via FTP, too, then it would be
best if
> you keep it in places he can reach via FTP. Which would be no further up
in
> the directory tree than the root of the Vsite. Which would be something
like
> this:
> 
> /home/.sites/106/site15/
> /home/sites/www.domain.com/
> 
> --
> With best regards
> 
> Michael Stauber

Thanks Michael. As usual a fully comprehensive reply.