[BlueOnyx:19475] Re: Document Root and Out of /Web access

[Michael Stauber]

Hi Richard,

> I have been asked by a new client the following:
>
> "Could you please let me know the DOCUMENT_ROOT for the website". I presume
> this is the /web folder. Can this be changed if necessary and is there a
> good reason to do this?
> 
> "Second concern is regarding your downloads, they are stored outside of main
> web directory for security reasons. Most of shared hosting do not allow for
> anything to happen outside of web directory. Please could you confirm with
> hosting company it is possible?" Is this possible on a BO server?

For a better explanation I'm going to distinguish between Vsite
DocumentRoot and "what do I have access to".

The /web directory is the Vsite's DocumentRoot. This is where Apache has
access to. Anything in /web and thereunder is accessible from the
outside. Naturally you can throw in access restrictions such as password
protection for the entire /web or directories within it.

And yes: Sometimes it might be practical to hide content outside of the
/web directory to prevent direct access to unfiltered or critical data.
There are many ways how this can be done. A good solution would be that
the data is in a MySQL database and is only presented to the intended
people after proper authentication.

Another way is to "park" data one step above the /web directory. And
when this data is needed, a PHP or Perl script reads it, parses it and
presents the parts that you want to be displayed.

This largely depends on "what do I have access to". There we need to
distinguish between PHP and Perl (and to a lesser extend Python and
others).

We can configure PHP pretty restrictively. And by default we do. The
only directories a PHP script has access to (if called via Apache) are:

/home/.sites/106/site15 <-- The root directory of an example Vsite
/tmp/	<-- R/W access to temp directory.
/usr/sausalito/configs/php/ <-- Read only
/var/lib/php/session/ <-- R/W access for session cookies

Lastly: PHP scripts only have access to files and folders in the above
mentioned directories if these files and folders are owned by the same
user that Apache uses for the Vsite. That would typically be the Vsite
admin configured under "Web Ownership" of that Vsite.

So if you create a folder under /home/sites/www.domain.com/secretstuff
and chown it to the "Web Owner" of that Vsite, then PHP scripts of that
Vsite would have access to the data there. But you couldn't access this
directory via a direct URL call, as it's outside the /web directory.

That is probably what you are looking for.

As far as Perl is concerned: Perl is really difficult to lock down this
way. Generally Perl scripts will have access to anything that user
"apache" (or the user who Apache runs under) has access to. However, if
you want to allow a user to manage his "secretstuff" folder via FTP,
too, then it would be best if you keep it in places he can reach via
FTP. Which would be no further up in the directory tree than the root of
the Vsite. Which would be something like this:

/home/.sites/106/site15/
/home/sites/www.domain.com/

-- 
With best regards

Michael Stauber