Thread: Write permissions on root folder - good or bad?

My personal take on this is that the same folder (website root or a folder within the website root) should not have write and script or execute permissions at the same time, as this poses a security risk.

If your root folder has write perms but no script/execute perms, then HTML and image files could be written there and that would be OK.

A CMS system which relies on writing files into the website area is, in my view, poorly designed. However, this is how almost all the apps I've seen have been developed. The better solution is to have all updateable content stored outside the website area, where it can be accessed by scripts/apps in the website area, so the website is dynamic not static.

Whether the writeable folder is the website root or a folder within the website root is beside the point really, it's the permissions mix that makes the difference.

Why don't you do what a lot of our .net clients do use ISAPI_ReWrite.

Store the files in the folders that make sense then use isapi_rewrite to make the URL's 100% SE friendly.

Having all files in the root isn't a major SEO benefit in my view if the files are well named and links well structured you should be fine.

CMS for me is a db backend with the content stored then a simple file spits out the output based on the querystring then you use something like ISAPI_ReWrite to make the URL's friendly depending on what you specify in the DB so its 100% dynamic no writing to files.

Chris is right, ISAPI rewrite can be a really good improvement.

Database backends are simple, but you can end up with a lot of database load where a simpler "read in from a text file" approach puts much less load on the system.

Such as BBC News where the whole site is managed by a custom CMS, but writes out static .shtml files only including a certain amount of dynamic content, which itself is pretty static, e.g. the header/footer bars and menus.

Actually its all down to how its done if its an MSSQL backend and the db, sproc and frontend is written correctly it can be far faster under load than file reads plus you don't get file lock issues and open stream problems.

For small amounts of data XML is ideal or text file but if you have a load of pages i would say mssql backend is the way to go.

We show up on the ISAPI_ReWrite website (Shared hosting services) as a supported host for v3 etc so we get quite a few enquiries it does the job. Excellent for php shopping carts like zencart, cubecart and joomla CMS if you want SE friendly URL's.

Originally Posted by heypresto

Such as BBC News where the whole site is managed by a custom CMS, but writes out static .shtml files only including a certain amount of dynamic content, which itself is pretty static, e.g. the header/footer bars and menus.

All down to site load for small to medium DB works, large static is usually better as it can be cached.

Originally Posted by Dhosting

Actually its all down to how its done if its an MSSQL backend and the db, sproc and frontend is written correctly it can be far faster under load than file reads plus you don't get file lock issues and open stream problems.

er... no

deal with any kind of real load and thats just not true!

Dan in the context of the OP's requirement db vs file there will be no real difference.

DB backend can perform exceptionally well up to decent loads.

Static is always going to be faster but for the OP DB backend would do the job saves ********* about with files all the time.

We aren't talking the BBC here or some other super large site.

ISAPI_ReWrite is the IIS version of Mod_ReWrite its near enough the same

Originally Posted by lsot

Netbenefit will not allow write permissions on the root folder for security reasons. I am therefore planning to move to our web developers hosting package which is on rackspace.

It may be worth confirming with them exactly what write perms they will not allow, for example they certainly would not allow public write perms due to security, but they may allow group write perms (ie the user that your .net would process run under) to be allowed to write to it's own local area, and I think it would be unusual for them to disallow this?

It may be worth confirming with them, or even testing it.

Cheers,
Sean

You can't go wrong

I know that ISAPI-Rewrite is only cheap, but why bother when you can do the basics easily enough in .net. Especially with something like..

ASP.NET 2.0: URL Mapping with RegEx Support

...or have I missunderstood something?

I can see the advantage in that it's compatible with apache rewrite configs, but how well does it scale? Has anyone here run it on some very large sites (say, sites that generate 1 to 10GB of logs a day)? I think it would worry me a bit being a 3rd party ISAPI filter for a large site that has to cope with a lot of traffic (knowing how darned difficult ISAPI filters are to debug). Looks like there is a heck of a lot of functionality, but if it's simple rewriting you want to do isn't it an unnecessary additional (and therefore falible) layer?