On 23 Jul 2015, at 06:57, JDW wrote:
My websites are hosted on ServerLogistics (XFERNET, on a shared Apache server). I save and run my PHP scripts from there. The directory structure is as follows:
/home/XXX/domains/mydomain.com/public_html/
All my website files are inside /public_html/ .
I want to access another server and then save its cookies via cURL in my PHP scripts. I have accomplished that by creating a folder inside /public_html/ and giving it 777 permissions, but that would not be safe as anyone who found out that address could read/write to it.
So would it be secure for me to create a folder with 777 permissions inside /home/XXX/? Since that level of the directory hierarchy is above /public_html/ no one should be able to access it, correct?
Note that /home/XXX/ is the root level of what I can access on my web server via FTP. Within /XXX/ I see folders named etc, var, usr, sbin, lib64, domains, and so on.
The problem is that the webserver will run as some other user. On shared servers that user won’t be you (the user you ftp as). If the webserver user can write to the cookie file, so can anyone else who is logged into the server unless the server machine is well set up - and you can’t be sure of that.
Set up the cookie directory as 777 and get the webserver to write to it. The written file will be created by the webserver and so owned by it. You will then know the username and group that the webserver runs as. I you don’t share a group with the server you’re stuck. If you do, set up the owner and group of the cookie directory as owned by the webserver with a group you are in and mode 770. (You may need ISP help to do this). Other people sharing the server will then only be able get into that directory by writing code that will be run by the webserver. In pure permissions terms it should just work the other way round (owner=you; group=yours; mode=770), but as you’re having problems there must be other checking going on.
As to where to put it, above or next to public_html is probably better as only those you share the server with could possibly see it. It should be safe within public_html as long as it doesn’t have an extension that says the server should serve it.
David - retired Unix sys-admin
dynamo mailing list
email@hidden
Update your subscriptions at:
https://freewaytalk.softpress.com/person/options