Frequently Asked Questions

The NearlyFreeSpeech.NET FAQ (*)

Programming (*)

What is a site realm?

A site's "realm" refers to the combined collection of all the operating system files and third party applications present in its CGI/ssh/PHP environment.

Some people want the latest and greatest versions of applications, particularly programming languages, especially while they are developing a new site. Others strongly prefer things stay as stable as possible so they don't have to deal with their site breaking every time a non-backwards-compatible change gets made by some application developer, especially once their site is up and working.

Likewise, security updates always run the risk of breaking things. Some people prefer to receive security updates immediately to minimize the risk of exposure. Other people prefer to defer updates to a time of their choosing, so they can deal with any problems that result, to minimize the risk of downtime.

Because all of these desires are in direct conflict, we provide multiple types of site realms. They are broadly divided into the following types:

This is the default realm assigned to new sites. It receives only security updates and important (i.e. "stuff is broken") fixes. If you don't know which realm to choose, choose the Stable/Current realm.
This is a newer stable realm that will become the default for new sites in the future. It receives only security updates, important (i.e. "stuff is broken") fixes, and (rarely) some non-disruptive new package requests. If you want to get your stuff working in a stable environment that will receive fixes for as long as possible, choose this.
This is a realm that receives ongoing updates. Although it won't become stable, it serves as a blueprint for future stable realms. Newly-requested software will be installed into a beta realm first. Beta realms also receive frequent updates, including security fixes, bug fixes, and upgrades to installed packages. Programming languages may receive significant upgrades every few months.
This is a realm that is not designed to become stable. It contains bleeding-edge languages or software or serves some other purpose that may be grossly incompatible with other realms. Experimental realms may receive large, potentially incompatible, updates at any time. Experimental realms are not supported or recommended for any production usage.
This is an older stable realm that is still supported, but will be obsolete soon. Once a realm becomes obsolete, any sites still using it will be automatically moved to the current Stable/Upcoming realm. Deprecated realms receive no updates.

We add new stable realms based on the then-current beta realm about every three months. These new realms are stable and reliable, but remain "Upcoming" for about three months to shake out any weird defects or bugs before becoming the current stable realm. Newly-created sites will start in the current stable realm and, by default, when a new realm becomes current, sites in older realms will be automatically migrated to it.

A site's schedule for automatic realm upgrades can be adjusted via the "Realm Updates" setting in the "Config Information" box on the Site Information Panel. This gives you some control over when to upgrade. If you select the "late" update option, we recommend that you upgrade your site's realm manually about every six months to avoid falling too far behind. (The farther behind you fall, the greater the likelihood of problems when you update.) Although rare, compatibility issues are possible, so it's best to do this at a time when you are ready to deal with them.

You can also switch between available site realms, or get a list of currently-supported realms, by selecting "Edit" on the "CGI/SSH Realm" line of the same box.

Caution: This is not a subtle change; if you're logged in to ssh when you change realms, it will attempt to kick you off. It is a little like rebooting. So make sure you have saved your work!

How do I set up the server to allow web scripts to write files?

By default, your site is set up with secure default permissions that don't allow web scripts to write files anywhere except in /tmp. You must set permissions to allow any additional locations to be written.

In order for a PHP or CGI script, or a daemon processes run as the "web" user, to write to a file, the "web" user must have write access to that file. There are two ways to accomplish this.

In order for a script or web process to create a file, it's the permissions of the directory in which the file is to be created that matter. To allow this, do either of the following:

The choice of whether to use group-write or all-write is one of personal preference. There is no meaningful difference on our system at this time. Likewise, the choice of semantic ("a+w") vs. octal (777) is one of personal preference. Just be careful not to set directories to 666 permissions, as they will not work correctly and the result can be very confusing.

If you look online, you may find advice telling you to set all directories to 777 and all files to 666. This is terrible advice. Roughly translated it means "I don't understand Unix file permissions well enough to help you, but doing this will hide the problem for now, and I'll be long gone when this terrible advice I'm giving you lets hackers completely overwrite your site."

PHP's security track record is not very good, and our system security is designed primarily to protect sites from each other; it does not (and cannot) protect sites from themselves. So while "writeable everything" may appear to work initially, and it seems easy, sooner or later a flaw will be found in your site's PHP code or in PHP itself, and if your site is full writeable files and directories, hackers will make short work of it. When deciding what to make writeable, please keep in mind the old adage, "If you don't have time to do it right, when will you have time to do it over?"

In particular, we strongly discourage members from making script files and key directories (like /home/public) writeable by the web user. This setting is used by some applications to enable self-updating over the web. We discourage that practice as well; if you can update your site over the web, so can someone else, and the site may look very different when they finish with it. We recommend using out-of-band methods to update site applications. For example, we support and recommend the use of the WP-CLI command line tool to keep WordPress installations up-to-date without exposing them to massive compromise resulting from the frequent security problems WordPress is so famous for.

Therefore, the final rule of thumb for writing files is not to set anything to be writeable over the web unless you don't mind restoring it from backup after hackers get to it. We hope this encourages you to both be conservative in what you allow PHP to write, and to keep good backups. :-)

Note: If you are still using a version of PHP older than 5.4, there are additional requirements. However, if you are still using a version of PHP prior to 5.4, stop now and upgrade because writing files is the least of your problems.

How does CGI work at NearlyFreeSpeech.NET?

We support CGI scripts with a .cgi extension in any directory in any of the available CGI languages. You do not need to limit your scripts to a cgi-bin directory, but you may if you wish (they will still need a .cgi extension unless you use the SetHandler directive in your .htaccess file). If you have trouble getting your scripts to execute make sure they are uploaded with execute permissions, that the #! line is correct, and that you've used Unix-format line endings.

CGI applications may be automatically terminated if they consume excessive system resources, run for an excessively long time, or appear to operating as "daemon" style processes.

NOTE: In addition to .cgi the following "default" CGI extensions will also work: .py .pl .rb

What can I do if I want a script to run every so often on my site (like cron)?

We allow the setup of scheduled tasks that run on a regular schedule, as often as once per hour. This feature is available as "Manage Scheduled Tasks" in the "Actions" box on the Site Information page.

This feature is supported for all server types including static sites and can run tasks either as the site owner or the web user.

Output from the scheduled task (stdout and stderr), if any, will be delivered by email if possible. If there is no output, no email will be sent. If your email address is bouncing or refusing messages, or if the output is extremely large, it will be diverted to a file in your site's /home/logs directory.

How do I customize my PHP configuration?

You can place customized PHP configuration directives in the file /home/conf/php.ini. This file will not exist by default, so you'll have to create it and make sure it is readable but not writable by the web server (644 permissions). These options will be parsed at the master level (above even PHP_INI_SYSTEM); you may use any directive supported by the version of PHP you are using, including those marked as "php.ini only." Your php.ini file is parsed in addition to, not in lieu of, the system php.ini file, so you only need your site-specific changes.

Note: The php.ini file is not parsed on every request. Changes may take a few minutes of idle time to take effect. (Which, if your site is never idle, may mean they never take effect.) If you want to help it along, you can place your site in maintenance mode or temporarily disable it for a minute or two to ensure that all running processes are killed. Use the phpinfo() function to review the running config and confirm that your changes have been processed.


upload_max_filesize = "20M"
display_errors = Off
log_errors = On
extension = "/home/protected/"

For more information about which PHP configuration directives are available at which level, see the official PHP documentation.

What is the path to the root of my site in PHP?

For PHP 5.4 and later, PHP and CGI have the same base path: /home.

For older versions of PHP, the path is based on the Apache site root and can vary based on when your site was created and when it was last reconfigured. To make sure you stay pointed at the right location, use the PHP-standard $_SERVER['DOCUMENT_ROOT'] value to refer to your site's public directory.

We also provide the $_SERVER['NFSN_SITE_ROOT'] variable for this purpose, in addition to DOCUMENT_ROOT. NFSN_SITE_ROOT points to your site's root directory, the parent of public and protected, making it the best choice for safely referring to the protected directory from PHP.

We strongly recommend that you use $_SERVER['DOCUMENT_ROOT'] or $_SERVER['NFSN_SITE_ROOT'] whenever possible and avoid hardcoding paths in order to avoid problems in the event of a change. If you have to hardcode the path (for a third-party app not smart enough to understand variables or similar), get it from the "Apache Site Root" value under "Config Information" on your site info panel, but keep in mind the possibility that it could change someday.

Where can I read more about how PHP works at NearlyFreeSpeech.NET?

We keep in-depth information about various aspects of PHP in these locations:

PHP Versions Explanation

Detailed PHP information

PHP is also a frequent topic of discussion in the Member Forum and Member Wiki.

What is the best HTML editor to use with your system?

The best one is the one that works best for you. HTML editors vary widely in terms of features, methodology, and target audience. There is no way to recommend a single best tool for everyone. If the program gets the results you want and you understand how to use it, then it is right for you.

There are many commercial programs that work as well. Some of them are listed in our Pre-Sales FAQ.

There are also many freeware, public domain, and shareware utilities for editing web pages. We don't have any specific recommendations in that area because things tend to change very rapidly. A great place to start if you want to learn more about these programs is the HTML Editors page.

Some factors to consider in choosing a program are:

The NearlyFreeSpeech.NET web site is entirely maintained using vi, except for one guy who insists on using emacs. We do not recommend learning these tools to people getting started with HTML or the Unix command line, as they are both general-purpose text editors. The newer tools are purpose-built for editing HTML pages and are much easier to learn.

How do I increase the PHP memory limit?

The PHP memory_limit is a legacy option that applied only to PHP 5.3 and earlier. This option is no longer used.

If you are still using PHP 5.3 for some reason, don't. It was discontinued years ago, is insecure, and its use is not supported in any form or fashion, including raising the hardcoded memory limit. If you encounter memory issues... or any other issues... with a PHP 5.3 site, the solution is to update the site to a supported version of PHP.

If you are using any supported version of PHP, you do not need to raise the per-process memory limit because there isn't one.

What references do you recommend for web technologies?

For a tutorial/HOWTO approach, we like the site in particular, because it gives you the ability to fiddle with their examples and see the results in real time. They have guides for HTML, CSS, JavaScript and PHP, among others.

For quick reference and looking things up, we recommend MDN, the Mozilla Developer Network. They have references for HTML, CSS, and JavaScript, among others.

The World Wide Web Consortium (W3C) defines many web standards, and they have information about HTML and CSS. The standards documents can be a bit dry, but they are the definitive final word on the subject.

Do you have register_globals enabled for PHP?

No. By default, this feature of PHP is not enabled. It is widely considered a serious security risk and we have seen a number of member sites victimized by exploits related to having register_globals enabled. We discourage its use.

However, if you understand the implications of register_globals and you are prepared to accept the increased security risks associated with its use, we have provided you with the means to enable it on a per-directory basis. Simply create an .htaccess file in your public folder containing the line:

php_flag register_globals on

You can verify that this is working by using the phpinfo() function on a PHP page. You should see register_globals set to "On" in the local context and "Off" in the global context.

If you do not need register_globals support, you do not need to take any steps to protect your site from exploits related to it.

What is the path to the root of my site for CGI scripts?

The path to the root of your site is always seen as /home by CGI scripts, by modern (5.4+) PHP, by any daemon processes you run, and by you via ssh access.

This is reflected in the NFSN_SITE_ROOT environment variable, which will always be set to /home for CGI scripts.

How do I change the version of PHP that my site uses?

To switch a site between PHP versions, follow these steps:

  1. Go to the Sites tab in our member interface.
  2. Select the name of the site you want to change in the "Short Name" column to go to the Site Information panel for that site.
  3. On the Site Information panel, select the "Edit" button on the "PHP Version" line of the "Config Information" box.
  4. On the "Site PHP Version" panel, select the version of PHP you want to use and press the "Save Changes" button.

Note: If you do not see a "PHP Version" line in your site's Config Information box, your site's selected server type may be out of date, or may not support PHP at all. To resolve this, you can change your site's server type.

I used an absolute path in an SSI and it didn't work. What should I do?

Make sure all of your SSI (.shtml) files use relative path paths. The supported SSI for including other files or the output of CGI applications is:

<!--#include virtual="../relative/path/app.cgi" -->

The "#exec cmd" and "#include file" directives are deprecated and are not guaranteed to work at all on our system.

How do I control what user a CGI script runs as?

By default, CGI scripts are executed as the "web" user and group, which has almost no privileges on our system. In most cases, this is the best choice, as it controls the damage that a vulnerable script can inflict. However, for some file-management and other applications, it is necessary for a script to run with the full permissions of the user that owns your files (i.e. you, a.k.a. the "me" user ID when viewed from ssh).

To this end, we allow you to set the suid and/or sgid file permission bits on CGI applications. When the suid bit is set, the web server will execute the script using the user id of the owner of the script (provided that the owner of the script is you). When the sgid bit is set, the web server will execute the script using the group id of the group that owns the script. It is safe to use the suid/sgid bits for this purpose; our system does not otherwise honor them.

Please note that there are security implications to running web scripts as your own user ID. If such a script is compromised, you will need to delete your entire site and recreate it from scratch or otherwise manually check every single file because there will be no other way to ensure that other files have not been subtly changed. For this reason, we strongly discourage the indiscriminate use of this feature as a substitute for properly setting up file permissions.

Can I compile my own CGI application on your servers?

You may be able to use our ssh environment to compile your application for our servers; we provide C & C++ compilers for this purpose. However, we only provide these tools as-is; you are completely on your own with respect to using them or getting custom CGI applications to run on our servers.

How do I write files from scripts run by the web server?

In order to write files successfully from the web server (e.g. via a PHP script), one of two criteria must be met:

By default, most files and directories are not writable by the web server. This is an important security precaution, as this prevents minor (and, sadly, common) security flaws in tools like PHP from turning into catastrophic site-wide destruction. Consequently, you must decide in advance which files and/or directories you will allow the web server to write to. (The exception to this rule is that files created by the web server will generally be writeable by the web server by default.)

The web server runs as the "web" user and is in (only) the "web" group. Each site also has its own private user and group unique to that site. When you create a file, it will go into the site's private user and group. As a result, there are three ways to mark a file or directory as writeable by the web server.

So, setting files or directories to be writable by the web server is a two step process:

  1. Check the user and group ownership of the file and/or parent directory (usually shown by SFTP/FTP clients or the ls -l shell command) to determine whether the web server will be treated as user, group, or other when accessing it.
  2. Make sure that the appropriate user, group, or other write permission is set via chmod on the command line or the equivalent function in your SFTP/FTP tool.

Usually people have trouble getting the web server to write files, but the reverse problem is also possible: when the web server creates files, it is possible for it to set them such that you can't access (or delete) them. If this happens, you can repossess the offending files. To prevent it from happening in the first place, make sure your scripts use an appropriate umask, such as 002. This will cause files and directories to be created with read and write permissions for the web group, which you are in, so you will retain access to them.