Write permissions on root folder - good or bad?

lsot · 8th August 2008

Hi, I'm hoping someone can help me!

My company website has been hosted by Netbenefit for the last 10 years with minimal issues. We've recently had a new website developed with a content management system, ASP.NET 3.0, and the developers will be marketing the website.

My issue:
For SEO reasons, the web developers have put all web pages in the root folder however for CMS I need write access to this folder. Netbenefit will not allow write permissions on the root folder for security reasons. I am therefore planning to move to our web developers hosting package which is on rackspace.

My questions:
If I move hosting, does having write access on the root folder cause a major security vulnerability?
If I stay with Netbenefit, how much would moving all the pages to a subfolder impact on SEO?

With everything I am being told from each company, I would just like to get an independent view on this.

Thanks.

TDMWeb · 8th August 2008

My personal take on this is that the same folder (website root or a folder within the website root) should not have write and script or execute permissions at the same time, as this poses a security risk.

If your root folder has write perms but no script/execute perms, then HTML and image files could be written there and that would be OK.

A CMS system which relies on writing files into the website area is, in my view, poorly designed. However, this is how almost all the apps I've seen have been developed. The better solution is to have all updateable content stored outside the website area, where it can be accessed by scripts/apps in the website area, so the website is dynamic not static.

Whether the writeable folder is the website root or a folder within the website root is beside the point really, it's the permissions mix that makes the difference.

Dhosting · 8th August 2008

Why don't you do what a lot of our .net clients do use ISAPI_ReWrite.

Store the files in the folders that make sense then use isapi_rewrite to make the URL's 100% SE friendly.

Having all files in the root isn't a major SEO benefit in my view if the files are well named and links well structured you should be fine.

CMS for me is a db backend with the content stored then a simple file spits out the output based on the querystring then you use something like ISAPI_ReWrite to make the URL's friendly depending on what you specify in the DB so its 100% dynamic no writing to files.

TDMWeb · 8th August 2008

Chris is right, ISAPI rewrite can be a really good improvement.

Database backends are simple, but you can end up with a lot of database load where a simpler "read in from a text file" approach puts much less load on the system.

heypresto · 8th August 2008

Such as BBC News where the whole site is managed by a custom CMS, but writes out static .shtml files only including a certain amount of dynamic content, which itself is pretty static, e.g. the header/footer bars and menus.

Dhosting · 8th August 2008

Actually its all down to how its done if its an MSSQL backend and the db, sproc and frontend is written correctly it can be far faster under load than file reads plus you don't get file lock issues and open stream problems.

For small amounts of data XML is ideal or text file but if you have a load of pages i would say mssql backend is the way to go.

We show up on the ISAPI_ReWrite website (Shared hosting services) as a supported host for v3 etc so we get quite a few enquiries it does the job. Excellent for php shopping carts like zencart, cubecart and joomla CMS if you want SE friendly URL's.

Dhosting · 8th August 2008

Quote:

Originally Posted by heypresto

Such as BBC News where the whole site is managed by a custom CMS, but writes out static .shtml files only including a certain amount of dynamic content, which itself is pretty static, e.g. the header/footer bars and menus.

All down to site load for small to medium DB works, large static is usually better as it can be cached.

goscombtech · 8th August 2008

Quote:

Originally Posted by Dhosting

Actually its all down to how its done if its an MSSQL backend and the db, sproc and frontend is written correctly it can be far faster under load than file reads plus you don't get file lock issues and open stream problems.

er... no

deal with any kind of real load and thats just not true!

Dhosting · 8th August 2008

Dan in the context of the OP's requirement db vs file there will be no real difference.

DB backend can perform exceptionally well up to decent loads.

Static is always going to be faster but for the OP DB backend would do the job saves ********* about with files all the time.

We aren't talking the BBC here or some other super large site.

burble · 8th August 2008

I use a DB and mod_rewrite (apache equivalent of ISAPI I believe). That way if you see a certain page using a lot of resources, you can cache it to a static file (either through the admin interface or a cron job) - if you set up your mod_rewrite rules sensibly, nothing will need to change.

Dhosting · 8th August 2008

ISAPI_ReWrite is the IIS version of Mod_ReWrite its near enough the same

dch · 8th August 2008

Quote:

Originally Posted by lsot

Netbenefit will not allow write permissions on the root folder for security reasons. I am therefore planning to move to our web developers hosting package which is on rackspace.

It may be worth confirming with them exactly what write perms they will not allow, for example they certainly would not allow public write perms due to security, but they may allow group write perms (ie the user that your .net would process run under) to be allowed to write to it's own local area, and I think it would be unusual for them to disallow this?

It may be worth confirming with them, or even testing it.

Cheers,
Sean

lsot · 11th August 2008

Thanks for all your responses. I think using ISAPI_ReWrite will be the best way forward.

Dhosting · 11th August 2008

You can't go wrong

markcastle · 11th August 2008

I know that ISAPI-Rewrite is only cheap, but why bother when you can do the basics easily enough in .net. Especially with something like..

ASP.NET 2.0: URL Mapping with RegEx Support

...or have I missunderstood something?

I can see the advantage in that it's compatible with apache rewrite configs, but how well does it scale? Has anyone here run it on some very large sites (say, sites that generate 1 to 10GB of logs a day)? I think it would worry me a bit being a 3rd party ISAPI filter for a large site that has to cope with a lot of traffic (knowing how darned difficult ISAPI filters are to debug). Looks like there is a heck of a lot of functionality, but if it's simple rewriting you want to do isn't it an unnecessary additional (and therefore falible) layer?