Re: [Phpgroupware-users] Re: Filemanager and the Document-root

[Chris Weiss]

On 10/7/06, chackie-lee  wrote:
> > It seems to me, that they use something like /home/nnn/user/ as > the doc
> > root?
> Yeah, thats right. My home-path is /home/15/dwdanied
>
> > What is your document root and home directory?  Feel free to
> > munge it if you have to.
> The problem is, that the home directory is the same as the document root.
> And I think, a lot of Webspace-Provider make it like bytecamp.net.
>
> Why does the phpGroupware uses this procedure for the 
> filemanger/User-/group-file??
> I have tested allot of them, and this one is the only one, which do it this way.

a lot of web hosts (and other groupware projects) do a lot of things
that are insecure.  buy not allowing a separate home dir and web root
they are requiring that if you want users to upload files, you have to
allow them direct http access to those files.  This means no access
controls on who can get to what, no reliable download counter, no
deep-link prevention, and worst of all, users could upload php and cgi
scripts and run them on your server.  We do it this way because it's
manageable cross-platform security.  I know there are other ways to
restrict what the public can do in a directory, but they are all web
server specific and would still exclude user based access control, dl
counters, and deep-link prevention.  Of course, so long as you
understand the implications, you can comment out the code that makes
this "out of web root" requirement.   I don't recall exactly where it
is, it used to be noted on the wiki.


> BTW: Any ideas, why DB-operations are so slow? Every Page-load needs 4-5 
> seconds. Other groupwares need 0.5 sec only.

that's a tough comparison to make, especially on a shared host.  what
database are you using?  is it on the same host as the web server?
did the indexes get added to the database?  how much load is it under?
do the other gw systems work with exactly the same kind of data?