By jszeinstra on

I am new to the go daddy shared setup, (i have set up hosting on my own box with linux). I have a shared server account up and running but as always I am peranoid about security. Anybody have a best practices for a secure setup on a shared Go Daddy linux account? My biggest question seems to be the /Files folder. I set it to public and web accessible, but it looks like drupal needs RW access to the Files folder. How are you supposed to secure that folder?

Also, I would be interested to see if there is a good set of "best practice" instructions that are more detailed for the go daddy setup.

Thanks

Categories: Drupal 5.x

Comments

styro’s picture

styro commented

but if you really were paranoid about security you wouldn't be using shared hosting. Shared hosting no matter how it is configured involves compromises that reduce security one way or another.

The two main ways shared hosting can be set up: 1) your webmaster user account (eg for FTP/control panel type stuff) and the web server run under different accounts, or 2) the web server switches to your webmaster account (eg via suexec etc) to run your web apps.

Both methods have pros and cons security wise - which method is better depends on your perception of the risks you face and where you think the threat comes from. eg method 1 means you (via permissions alone) can't really avoid other users/sites on the server getting to your uploaded files, but you can protect your PHP files from being altered by the web server. Method 2 can be used to protect your uploaded files, but puts your site files themselves at greater risk as the web server can now alter them.

I set it to public and web accessible, but it looks like drupal needs RW access to the Files folder. How are you supposed to secure that folder?

It sounds like godaddy use method 1. Basically there isn't much more you can do about it - it is the nature of being able to upload files to a shared host via the web server. The only way to tighten that is to forego browser uploads and manage your files manually via FTP.

If you really want security you'll need a server to yourself (eg a virtual server or a dedicated server).

--
Anton
New to Drupal? | Troubleshooting FAQ
Example knowledge base built with Drupal

jszeinstra’s picture

jszeinstra commented

Anton,

Thanks for the reply. I was guessing that shared hosting is almost impossible to get secure. This site is just a test site, but in the future with production sites I will make sure to use a virtual server setup.

Jason

Ken Knowles’s picture

Ken Knowles commented

I am using Drupal 6.5, so I can't verify this will work for Drupal 5.x.

I am using Go Daddy for my hosting and I have been able to secure the files directory as follows:

1. Set the files directory to private in /admin/settings/file-system. Do not change the path. Just set it to private.

2. Modify the .htaccess file in the files directory to include the following:
Order Deny, Allow
Deny All
Allow ip address of your web server

I am using a dedicated IP address for my hosting. However, I think this will still work if you don't have a dedicated IP address.

Update: This does not work. I tried accessing my site after a while, and it was not accessing the files directory correctly.