$HOME is where the what is?

One thing I see a lot of, and it bugs me to no end is the way web applications store everything (class files, configs, passwords, templates, uploads, on and on…) in web space.

I consider this to be a serious security concern, we’ve all probably seen what happens when a web server gets mis-configured or when a file gets renamed to “super-private-data.php.BAK”, allowing a web browser to access the file. (or dump the source of it)

For the same reasons, I don’t like to rely on an .htaccess file if I can avoid it.

On my favorite platforms, we have home directories. You can look up the persons home directory using posix functions and store stuff much as any other unix application. ~user/foo, when this works, it works great, you can get their userid from the file owner.

Some lower quality ISP’s disable the posix functions, so I’ll use an environment variable (SetEnv in an .htaccess file)

However… I’ve found time and time again that people get confused by this. (especially with ftp clients that chroot into their home directories)

Seems people expect everything to be stored in web space, I’ve even watched (in horror) as people put “.htpasswd” files in web space.

As far as I’m concerned, the home directory /is/ the standard, but I don’t often hear people complain when it’s not supported, is there some new web 2.0 21st century standard being worked on?

Where do you store private data that shouldn’t be in web space?

Misconfigured .htaccess or .htpasswd can leak the information. You should not put your scripts in the location where an attacker can expect them to be.

If your server allows you to relocate your web space, you can! FTP only servers won’t be good enough.

In my VPS servers, I organize directories myself - relocating them into a different location. Optionally disable safe_basedir, and include files from the location outside the htdocs, www, public_html. I don’t truly work in the locations given by the control panel application while creating the webspace.

super-private-data.php.BAK: Similar case can happen if you are using vi editor, and it creates swap files. If directory listing was enabled, grr…