Hi folks,

I have no root access, so I can not implement optimal security with protector, unless I put my whole XOOPS site in a separate dir, so I create an extra level.
I redirect with .htaccess, but I have URL's with an extra level in it.

My host says it's unsafe to grant access to 1 level higher.

How do you guys do that?
Do you have root access?

Thx in advance for replying and kind regards,

Hi,

Nope, I don't have access to levels higher than my web-root either.

My XOOPS site sits in a folder and Protector's trust path is parallel to that, i.e.

web_root/website_folder
web_root/xoops_trust_path

I've set up a sub-domain to keep things neat and tidy, and set xoops_url in mainfile.php to point to the sub-domain, i.e.:

http://website.mydomain.com/

I change the name of website_folder more-or-less monthly(and point the sub-domain to the renamed folder so the web-address doesn't change) and change my database prefix (using Protector) every few months. Seems to work for me on the security front.

As the principal in a web-hosting business, I would respond that generally, you don't give access to "root" to main accounts.

What a hosting company should give you is access to "root" for YOUR account. For instance, if your account is "myname" and your account root is "/home/myname" (a very standard config on linux machines), then you should have access to everything within that directory. Within that account "root" directory is usually a "public_html" folder which is the root of your html files. This allows an area for the web-server to access files, but it can't get 1 level higher -- to your account root. Then, you make a folder in your account root (maybe xoops_trusted) for your protector files. The web-server can't access them, but your application files can.

/home/myaccount - "root"
/home/myaccount/public_html - web "root"
/home/myaccount/xoops_trusted - trusted "root"

Finally, while our accounts can't actually access the /home directory to list contents and/or access files, they can see actual root (linux command "ls /") because some of those files must be accessible and readable for your apps and command line commands to be able to work.

To go to your account "root" folder from a linux command line, just type the command "cd". To find out where you are, type the command "pwd" (present working directory).

Is that clear as mud?

Thx for your replies guys.

I'm in the same situation as John: I have my site in a folder, and the trust path paralel to that.
Like this:
www/htdocs/accountname/extra-dir/here-all-the-dirs-and-php-files
www/htdocs/accountname/extra-dir/trust-path

My host does not permit access to a "higher" level. I can not create www/htdocs/accountname/here-all-the-dirs-and-php-files and
www/htdocs/trust-path

I also checked with another host, where this is also the case.

So I gues you might say that I have no account root access, Mark.
Did I understand you right?

Both hosts say that they wouldn't even use "the script" (they mean XOOPS in this case) when this is the safest way to run it. When a script is properly coded it should be safe without higher level access then I have; in their opinion.

Your last paragraphs I do not understand Mark, I'm sorry.
Do you mean to say there's a way to get access with some commands?
How do you give these commands?
With an ftp program?

I'm sorry that I have a lot of questions, but I hope to get this clear for once...

Thx in advance and kind regards,