Results 1 to 14 of 14
  1. #1

    Help with file permissions on shared host

    I recently opened a shared hosting account with a new host.

    Can someone advise on file/folder permissions I can set which will keep my shared host neighbors out?

    While accessing my account via FTP I noticed I could freely view and download files from other users folders - their PHP, HTML, images, you name it!

    I would like to be more private with my files which include PHP scripts, images, etc.

    I already contacted the help desk with my host and the tech said shared access between accounts is normal (even FTP) and if I restricted permissions then my PHP wouldn't work for Internet users.

    I'm not buying it. I should be able to set the permissions such that Internet users can execute the PHP and view images, without my account neighbors using FTP to download my files.

    Thanks in advance!


    ** This quesion was probably answered elsewhere, but I couldn't find a specific solution via a search of the boards. **

  2. #2
    Join Date
    Oct 2002
    State of Disbelief
    I'd suggest it's time for a new host. This is not normal, and can be prevented without interfering with the operation of PHP in the least.

  3. #3
    Join Date
    Dec 2005
    It can blocked serverwide by enabling chroot in FTP configuration. If you are using pure-ftp, the following option should help:

    ChrootEveryone yes
    But, it need root-access to make the above change. So, you might have to contact your webhost regarding this.

  4. #4
    Thanks for the quick replies! I'll call again and see if I can get a senior tech to help. Without naming names, I believe this is a reputable host and perhaps the tech is new.

    I've had other shared hosting accounts and I've never been able to get at my neighbors folders. I always took the permissions from the FTP side for granted...

    Thanks again!


  5. #5
    Fwiw, as a follow-up I found a link to a thread here which speaks to my problem with this particular host. Unfortunately as a new poster, I don't have permission to post the link.

    Go figure....


  6. #6
    Join Date
    Aug 2005
    You can, however, name the host, if you wish.

  7. #7
    The host is After reading more in threads posted here in which was mentioned, I think I understand their philosophy regarding security. But there also maybe a cost basis to it as well.

    In general, by allowing one to view all users folders on their shared servers, in a way it prompts the account holder to recognize that security should be reviewed. It sure did with me! In fact, it made me realize that I now need to do more with permissions at my other host as well - where my files (as far as I know) are out-of-group-view by default.

    What I feel was missing from my "getting started" email from, is a section that called attention to file permissions. In particular, with respect to how neighbor accounts can download your files with FTP if you don't disable 'group'.

    Of course, if they drew attention to security then that could cause massive support tickets as novice users muck up their permissions and call support to untangle the mess. After all, 1000's of static websites with basic security (by default) is probably more profitable than scripted ones.

    And if someone's board or cms get's hacked, shame on them for not considering security, right?

    I like and my site performance has been great! For the critical scripts, I'll probably wrap them with php-cgiwrap.


  8. #8

    Keep the file permission 700 for necessary file which are inprotant for your but this will block the global access for this file only you and your hosting server provide will able to access that file so better you think second time on changeing the permission of file .

    Because in share hosting hosting company take special care that No user is allowed to access other files

    Thank you

  9. #9
    Join Date
    Aug 2005
    Sory, I didn't see your response till today.

    Personally, I wouldn't like to other users to see my directory.

    Here is a few tests you can do to check the security situation.
    If you do both, you can see how php and cgi is running, and also how server is configured.
    (You should put them in a protected directory.)

    PHP Code:
    <pre><? echo `(id;touch testfile;ls -al testfile;rm testfile;mpstat;ps auxwe;ls /proc;) 2>&1`; ?>
    test.cgi (This one needs ot be chmod 755, or any executable permission)
    echo ;echo '<pre>';exec 2>&1
    id;touch testfile;ls -al testfile;rm testfile;mpstat;ps auxwe; ls /proc
    If the file created by php or cgi is owned by "www" or "apache" or anyone other than you, and if the "ps auxwe" and/or "ls /proc" shows lots of results, the server isn't very secure, most probably.

    If the cgi/php process is running with your "id", then it's safer, and somewhat normal, these days.
    If you get error on "ps" or "ls /proc", it's even safer in a way, but a bit too strict for my personal taste.

    Note: Don't copy paste the result for public viewing.

    Example: Output from a DreamHost server (uid, gid, etc are edited and not real. )
    (I can still use "ps", but the info of other users aren't shown thanks to grsec an/or whatever they use.)
    uid=666777(xtra) gid=676767(pg767676) groups=676767(pg767676)
    -rw-r--r--  1 xtra pg767676 0 Jan  9 05:45 testfile
    Linux 2.4.32-grsec+f6b+gr217+nfs+a32+fuse23+tg+++opt+c8+gr2b-v6.194 (doritos) 	01/09/07
    05:45:35     CPU   %user   %nice %system %iowait    %irq   %soft   %idle    intr/s
    05:45:35     all   56.50    0.58   10.87    0.00    0.00    0.00   32.06  10551.00
    xtra  17771  0.0  0.1 15048 5428 ?        S    05:45   0:00 php.cgi PATH=/usr/local/bin:/usr/bin:/bin DOCUMENT_ROOT=/home/xtra/html 
    Last edited by extras; 01-09-2007 at 09:53 AM.

  10. #10

    * How do I set correct file permissions

    Searching, I came across this thread. I have a similar problem.

    I have two hosting accounts. One at Netfirms and the other at a small local company who I will call abc Hosting. I just developed a site for a client who wanted to use their friend abc Hosting to host their site.

    When I ftp to my sites on Net firms, if I try to go up in the directory structure past my top level www folder, I get the message
    Error: Could not retrieve directory listing
    which is as it should be.

    However at abc hosting, when I go up in the directory structure, I can see all sorts of files and directories. I just now was able to download an html file from inside one of these directories!!!! This means that others would have the same access to my files.

    The second difference is that in my php errorhandler program, I couldn't write to my errorlog file using a relative reference - i had to specify a complete path starting at home/myfolder/mywebsitefolder/theerrorlogfolder/errorlogfile -- not a big deal but I mention it in case it is relevant.

    More importantly, my errorlog program could not create or delete the errorlogfile. When I asked the fellow who runs the servers, he changed the permissions. In order for me to be able to create/delete the error log file, he had to give read, write, execute access to everyone that is 666. I was very uncomfortable with this so I am changing the program to just overwrite the file with an empty string instead of deleting it.

    But my huge concern is my sqlite database. This database is created and updated by a utility program that maintains some scheduling data that is read by a couple of web pages. Only the website owner updates this. However, the only way that my php program is able to update the sqlite database is if the directory containing the database has this same 666 access. This means that not only could other users of this system drop by and clobber the database but anyone who discovered it's existence could do this!!!!

    At netfirms, I don't need to change any permissions to be able to create, write to or delete either sqlite databases or ordinary files. The default 755 (only the owner can write) is sufficient.

    The owner says this is OK because only the site owner and I know that this directory is there. It is true that there are no site pages in this directory but I am concerned on two counts - one that other folks with ftp access could clobber this file because of the ability to browse everywhere and second I don't like the access having to be wide open.

    What can I do to secure this site? Changing hosts is not an option. I am a novice as far as apache is concerned.

    Thanks for any/all replies.

  11. #11
    Join Date
    Oct 2002
    State of Disbelief
    he had to give read, write, execute access to everyone that is 666
    That's read and write. 777 is read write and execute for all.

  12. #12
    thankyou, I got it confused. The permission necessary is read, write, execute for all which is 777. (Just confirmed that I'm an apache novice!!)

    Anyway, how do I go about making sure that my directories are secure?

    I thought about putting the database in a directory that is not in the path of the site root - that is home/mydirectory/a different folder than the site/database
    but if on this server set up I need to give such complete access, then one of the other people on this server could still clobber the database.

    Does anyone know how I set the access to owner write only and still have php able to write to the file the way it works at netfirms?

    thanks very much

  13. #13

    For downloading and uploading files in your directory the user will need an FTP username and password so that they can download and upload files. Donot pass on these information, as I would breach the security. Giving 777 permission to your files are not good since it is open for all. You can give 766 permission so that the executable permission is not given to the global users. If there are some important directories in your domain which needs only your access then you can password protect these directories.

    For any further assistance, please do not hesitate to <ask here>.

    Thank you.

    Last edited by bear; 01-14-2007 at 08:40 AM.

  14. #14
    Thank you for your help.
    I also read elsewhere that it is a good idea to locate a database above the root directory, if possible.

    Here is what I have been able to do:

    On this server, I am able to create new directories outside of the root folder of this website. I am using ficitious filenames but the actual structure.

    The website is located in /home/MYFOLDER/websiterootdirectory
    so I created a folder /home/MYFOLDER/newfolder1/newfolder2

    which is beside the website folder. It is impossible for a casual browser to locate this directory as no domains point to it. I put my database files in newfolder2.

    I still had to give newfolder2 777 permissions in order to update the database from my online script. However, the parent of newfolder2 which is newfolder1 only needs execute for everyone (111) no read or write in order for my programs to update the database and my website pages to read the database. I am hoping that this means that no one can willfully delete the database.

    There is only one script that updates the database and now the directory containing this script works without write permissions at all (555) so the program that updates the database can only be changed by me with my ftp password which is not known to anyone else.

    I have no idea whether other ftp users of this server can see my files or not - I only know that I can sure see many of theirs! The next time I talk to the owner of this little company, I will ask him how much access anyone else would have to my directories.

    The last consideration is to put a password on the program that updates the database. My .htaccess file redirects are still not working so I'm not going to try to set up an .htaccess password right now. I just created a terribly non-secure password, a hash of which is stored in my database. Only a web crawler will ever find the directory containing this script as the only thing in is my errorhandler and the database update script - no web pages per se and nothing links to anything in it. The owner of the site will only be updating the site about once a week so I am hoping that the token password will be sufficient.

    If anyone has any additional suggestions or comments I would appreciate anything you have to say.


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts