I have a few websites that use the same cached weather reports so I wanted them all in the same folder. It seemed the most logical way to do this would be to but this folder outside of the webroot. It also seemed the easiest way to access this new folder would be to set sym links from the old folders within the webroot.

What I am concerned about is I've had to set the new directory to 777 as I am using FasCGI for my PHP and therefore each website has a different user.

So first question, what are the security implications - is this the same as having a 777 folder within the webroot?

Secondly. If this is a problem what is the best solution.

BTW this is on Centos 6.2 server running Plesk 10.4 if that makes any difference.

TIA Chris

2 Answers2


About the security implications I cannot say, but I think if an attacker has managed to exploit the weather data is your smallest problem.

About the permissions - make all web users members of common group (if they aren't already) and change the ownership of the files. That way you can grant access only to the group. Also why the web users need write access on the files?

  • The webuser needs write access as the data is created for and by the website on demand and then cached for future reference. I did think about setting up a group, but as that would be the webuser/apache I wasn't sure if assigning write permissions made any difference to any lack of security – Chris Leather Jan 14 '13 at 15:15
  • My point was to create another group (for example webusers) and add each webuser to it. Then you can assign write permission to it and the rest of apache group members won't be able to write there. – Tsvetomir Dimitrov Jan 15 '13 at 14:27

It is possible to share a directory between multiple virtual hosts on an Apache webserver using the Alias directive in mod_alias. You would need to place something like this stanza in each <VirtualHost> entry like so:

<VirtualHost *:80>
    ServerName example.com
    ServerAlias www.example.com example.org www.example.org

    ScriptAlias /cgi-bin/ "/path/to/webroot/.cgi-bin/"

    <Directory "/path/to/webroot">
        Options Indexes Includes FollowSymLinks ExecCGI
        AllowOverride All
        AddHandler php5-fastcgi .php .php5 .php4
        Action php5-fastcgi /cgi-bin/php5.fcgi
        Order allow,deny
        Allow from All

    Alias /reports "/path/to/weather/reports"
    <Directory "/path/to/weather/reports">
        Order allow,deny
        Allow from all

This would map the files in /path/to/weather/reports to http://example.com/reports/ so you can place saner file permissions on /path/to/weather/reports. The directory should require proper permissions for Apache to traverse it, so you can follow tsurko's recommendation and set up a group (e.g., fcgiusers), add the users to the group (by running a command like usermod -a -G fcgiusers USERNAME), and give the group permissions to the folders and files in the shared location. These commands run with root privileges should do the trick:

chown -Rv apache:fcgiusers /path/to/weather/reports;
find /path/to/weather/reports  -type d -exec chmod 0775 {} \;
find /path/to/weather/reports  -type f -exec chmod 0664 {} \;  
  • 66
  • 2