I would have thought you could simply amend the php script to place the newly created pages in the correct directory.

The path prefix "/cms/" could be in a global variable somewhere in which case it could just be redefined. Otherwise just locate where the code assigns the file and adapt as necessary.

You may need to maintain your existing re-writes for historical content which you're unable to move, in which case, it might be an idea to take it out of .htaccess and put it in httpd.conf in order to save parsing .htaccess with every connection.

TJ

I would have thought you could simply amend the php script to place the newly created pages in the correct directory.

The path prefix "/cms/" could be in a global variable somewhere in which case it could just be redefined. Otherwise just locate where the code assigns the file and adapt as necessary.

Thanks for the reply. If I want to place the newly created pages in the root folder, then wouldn't I need to set the chmod to 777? A security issue?

I'm not sure what you mean by "Otherwise just locate where the code assigns the file and adapt as necessary."

All CMS's have the inherrent security risk that anyone with your username and password can login and create/delete content. Whatever folder that content is in. That's the importance of backups.....

I'm not sure what you mean by "Otherwise just locate where the code assigns the file and adapt as necessary."

I assumed that your CMS is based on some form of script that creates the files required, the text file and the .php file that includes the text. You need to locate that script and edit it so that the php files are written out to / rather than to /cms/. The path to the text files may need to also be changed to reflect the new location if the php file does not use absolute paths. Trial and error on a local PC running Apache with a complete copy of the site is the most useful tool for this kind of work.

The underlying "user", as far as the OS is concerned, is whichever user you are running Apache under. That user needs to have write access to the "/" folder to be able to save the files there.

TJ

When I attempt to create a new page in the root folder I get an error message:

touch(): open_basedir restriction in effect.

I'm assuming my host doesn't allow the root folder to be fully writable, or something. The security issue I am concerned about is making the root folder into chmod 777, even if I was allowed to. I have written this simple CMS myself but am at the limits of my expertise, especially with server configuration, and also with global variables.

When you're speaking of "root" are you referring to the servers root directory, or the webservers root directory (where index.html or index.php resides)?

If you wrote the CMS, I'm not entirely sure why you cannot output the files to wherever within the site structure you want them to be?

There is no difference, in terms of permissions, between "/index.html" and "/cms/index.html". Both are readable from the web, and both should be writable by you.

TJ

I'm referring to public_html on a shared server. I have been able to chmod this folder from 750 to 777, but I thought there might be an extra security issue with this, as compared to a subfolder.

Thanks for the replies. I'll see how it goes. Ideally, I was hoping to have found a way to place the files in a subfolder and still have them appear as if in public_html, as does for example WordPress, but without the need for .htaccess... as a learning thing, really, and for the sake of elegance.

Another reason is that someone else using this CMS might not be able to chmod public_html to 777.

hi patrick,

to have your pages appear in the by you called "root-server" without using .htaccess, you could create a .php for each file which includes the .php file within the /cms folder. that might not be an ideal soluation for your, but that's the only idea i can imagine so far.

hakre, thanks for the suggestion, but the aim is to avoid the need to make the public_html folder writable. The /cms folder and some subfolders are writable and that is where the site's page are, but I wanted to strip out /cms/ from the path to the pages. htaccess does the job, but the pages can still be viewed with /cms/ in the path (because that is where they actually are) so I've used robots.txt to try to prevent them being indexed by search engines - except for the public_html folder versions.

Sorry if this seems garbled. Perhaps this can't be done.

I'm referring to public_html on a shared server

The answer might lies here
if you are on a shared server you do not have
"PHP ownership", which limits many CMS functions.

i see. that really is a pitty, because even on shared environments the php should have it's own user to run in and to be safely seperated by other peoples webroot. or the other way round: i strongly dislike these pseudo php setups on some shared hosters ;)

The CMS is actually working nicely. And I have been able to chmod public_html to 777, though I've since reversed that. Thing is, if someone else were to use this CMS and they weren't able to write files to public_html or use .htaccess, then they would be stuck with their pages with /cms/ in the URL.

I can't say I really understand the security risk associated with making folders writable - maybe it's very low, especially as there are no publicly accessible input forms - but the real issue is to make the pages appear and behave as if they are in public_html for the reasons above, even on a Windows server if needs be.

If the pages were dynamic (from a database) then there wouldn't be an issue because there would be no need for the (writeable) /cms/ subfolder. But my system creates actual files for the pages.

I can't say I really understand the security risk associated with making folders writable

quite simple: imagine someone is able to place an executeable trojan or other programm on your computer. it can only be done if the directory is writeable.

How does someone place an executeable trojan or other program into a writable folder on someone else's web server? (except through an 'unsecure' form on the target site)

ps: I don't want to know how to actually do it, but where/what is the weakness and to what process?

how? there are many ways but don't be scary: this is not the state what normally should be possible. just think about that it's more secure if there are no writing permissions then if there are. that's all, it was just an example.

normally an attacker tries to gain root access on the machine so she/he has got all rights needed to own the box. within in this process (which is mainly based on "not intended" functions, so called exploits), it can help an attacker to have the possibility to create files. i think basically that's all about the writing permissions.

it's more secure if there are no writing permissions then if there are.

That's what I keep on hearing, but with respect, more secure against what, exactly?

against a general thread of attack. but, hey, i am not such a sysadmin who disables write access for php scripts nor do i think that such a guy is a real security hero. i even strongly dislike that apporach because it looks as lame as the setup of some sysadmins which need to enable php-safemode and directory restrictions. i mean these people really need to enable that. so maybe these people even need to disallow write permissions to keep "their" system safe.

generally spoken, i do not think that it is definitely a must to have write permissions disabled to harden a shared host.

i now found a type of .htaccess workaround. in this specific setup which is a php 5 setup on an apache 2 server php scripts will be called without the .php extension. even slashes (/) can be added after that name.

lets say the file is called test.php located in /, the according url is:

www.sample.dom/test or www.sample.dom/test/some/more/stuff

so i thought with a index.php this would be the key, but that did not work out with that specific setup but indexes are quite irregular on that hoster. i knew it worked with www.sample.dom/test.php/some/more/stuff as for se-friendly links, but not without the .php extension.