vB security question: others with ftp access

**Colin F** · Thu 28 Sep '06, 1:44pm

They could access your details, so what you're doing is rather unsecure.
Web host set up different users that only have access to specific directories, but it seems you can't set up those, as you don't have enough access.

Possibly you can switch your account to a 'reseller' account, which should work better for your situation.

**Tommy Gun** · Thu 28 Sep '06, 2:15pm

Thanks. I'm friends with the person who owns the server, so we could maybe work something out, or maybe just get a separate domain name for the user sites (then use "addon domain" in cpanel). That would treat it as a separate account, so it should be secure, yes?

It would still be on the same server and account (oursite.com/usersites/whatever) but it would appear as (newdomain.com/whatever).

**Colin F** · Thu 28 Sep '06, 2:31pm

I don't think a new domain would be enough to be honest.

**Tommy Gun** · Thu 28 Sep '06, 3:31pm

Really? I'm pretty sure it's treated as a whole separate account, despite being an addon domain. So if they did something like "../../forum" to get to our forum, it would be on the other domain and wouldn't find anything.

**Colin F** · Fri 29 Sep '06, 2:05am

But with addons domains in cPanel you can usually also call up the files using http://www.maindomain.com/addondomainfolder/ as far as I know.

Also, the server doesn't really care what domain a file is on, it cares what user has access to the file in the filesystem, and with an addon domain that would be the same user.

**Tommy Gun** · Fri 29 Sep '06, 10:42am

Originally posted by Colin F

But with addons domains in cPanel you can usually also call up the files using http://www.maindomain.com/addondomainfolder/ as far as I know.

Yes, but you can't read the php code that way--the script would run and return them the html code (i.e. with all the php code stripped away, including sensitive info). I've actually had problems because of this, I gave people scripts with some code that used php "include" with the global url, but when the include page was inserted, it was just html, so it didn't work. I had to change it around to use include "../../something/whatever.php" (local instead of global) for it to work. Doing this on an addon domain would return only files on the addon domain.

Also, the server doesn't really care what domain a file is on, it cares what user has access to the file in the filesystem, and with an addon domain that would be the same user.

I would still be giving users access to their folder only, on the addon domain. They wouldn't be able to directly access anything else, the only issue is running a script that could do it, but as I explained above, I don't think it would work.

Obviously I could be wrong about this stuff, that's why I'm asking, but I'm pretty sure that's how it all works. I'm no hacker though, so I don't know all the ways to break in. I guess I should talk to my server guy. Thanks for discussing this with me.

**Colin F** · Fri 29 Sep '06, 11:05am

Doing this on an addon domain would return only files on the addon domain.

In my opinion you're wrong about that part. But anyhow, I'm not a server guru either, talk with your server guy, he should be able to tell you for sure.

vB security question: others with ftp access

vB security question: others with ftp access

Comment

Comment

Comment

Comment

Comment

Comment

Comment