Frequently Asked Questions
A site's "realm" refers to the combined collection of all the operating system files and third party applications present in its CGI/ssh/PHP environment.
Some people want the latest and greatest versions of applications, particularly programming languages, especially while they are developing a new site. Others strongly prefer things stay as stable as possible so they don't have to deal with their site breaking every time a non-backwards-compatible change gets made by some application developer, especially once their site is up and working.
Likewise, security updates always run the risk of breaking things. Some people prefer to receive security updates immediately to minimize the risk of exposure. Other people prefer to defer updates to a time of their choosing, so they can deal with any problems that result, to minimize the risk of downtime.
Because all of these desires are in direct conflict, we provide multiple types of site realms. They are broadly divided into the following types:
We add new stable realms based on the then-current beta realm about every three months. These new realms are stable and reliable, but remain "Upcoming" for about three months to shake out any weird defects or bugs before becoming the current stable realm. Newly-created sites will start in the current stable realm and, by default, when a new realm becomes current, sites in older realms will be automatically migrated to it.
A site's schedule for automatic realm upgrades can be adjusted via the "Realm Updates" setting in the "Config Information" box on the Site Information Panel. This gives you some control over when to upgrade. If you select the "late" update option, we recommend that you upgrade your site's realm manually about every six months to avoid falling too far behind. (The farther behind you fall, the greater the likelihood of problems when you update.) Although rare, compatibility issues are possible, so it's best to do this at a time when you are ready to deal with them.
You can also switch between available site realms, or get a list of currently-supported realms, by selecting "Edit" on the "CGI/SSH Realm" line of the same box.
Caution: This is not a subtle change; if you're logged in to ssh when you change realms, it will attempt to kick you off. It is a little like rebooting. So make sure you have saved your work!
By default, your site is set up with secure default permissions that don't allow web scripts to write files anywhere except in /tmp. You must set permissions to allow any additional locations to be written.
In order for a PHP or CGI script, or a daemon processes run as the "web" user, to write to a file, the "web" user must have write access to that file. There are two ways to accomplish this.
In order for a script or web process to create a file, it's the permissions of the directory in which the file is to be created that matter. To allow this, do either of the following:
The choice of whether to use group-write or all-write is one of personal preference. There is no meaningful difference on our system at this time. Likewise, the choice of semantic ("a+w") vs. octal (777) is one of personal preference. Just be careful not to set directories to 666 permissions, as they will not work correctly and the result can be very confusing.
If you look online, you may find advice telling you to set all directories to 777 and all files to 666. This is terrible advice. Roughly translated it means "I don't understand Unix file permissions well enough to help you, but doing this will hide the problem for now, and I'll be long gone when this terrible advice I'm giving you lets hackers completely overwrite your site."
PHP's security track record is not very good, and our system security is designed primarily to protect sites from each other; it does not (and cannot) protect sites from themselves. So while "writeable everything" may appear to work initially, and it seems easy, sooner or later a flaw will be found in your site's PHP code or in PHP itself, and if your site is full writeable files and directories, hackers will make short work of it. When deciding what to make writeable, please keep in mind the old adage, "If you don't have time to do it right, when will you have time to do it over?"
In particular, we strongly discourage members from making script files and key directories (like /home/public) writeable by the web user. This setting is used by some applications to enable self-updating over the web. We discourage that practice as well; if you can update your site over the web, so can someone else, and the site may look very different when they finish with it. We recommend using out-of-band methods to update site applications. For example, we support and recommend the use of the WP-CLI command line tool to keep WordPress installations up-to-date without exposing them to massive compromise resulting from the frequent security problems WordPress is so famous for.
Therefore, the final rule of thumb for writing files is not to set anything to be writeable over the web unless you don't mind restoring it from backup after hackers get to it. We hope this encourages you to both be conservative in what you allow PHP to write, and to keep good backups. :-)
Note: If you are still using a version of PHP older than 5.4, there are additional requirements. However, if you are still using a version of PHP prior to 5.4, stop now and upgrade because writing files is the least of your problems.
We support CGI scripts with a .cgi extension in any directory in any of the available CGI languages. You do not need to limit your scripts to a cgi-bin directory, but you may if you wish (they will still need a .cgi extension unless you use the SetHandler directive in your .htaccess file). If you have trouble getting your scripts to execute make sure they are uploaded with execute permissions, that the #! line is correct, and that you've used Unix-format line endings.
CGI applications may be automatically terminated if they consume excessive system resources, run for an excessively long time, or appear to operating as "daemon" style processes.
NOTE: In addition to .cgi the following "default" CGI extensions will also work: .py .pl .rb
We allow the setup of scheduled tasks that run on a regular schedule, as often as once per hour. This feature is available as "Manage Scheduled Tasks" in the "Actions" box on the Site Information page.
This feature is supported for all server types including static sites and can run tasks either as the site owner or the web user.
Output from the scheduled task (stdout and stderr), if any, will be delivered by email if possible. If there is no output, no email will be sent. If your email address is bouncing or refusing messages, or if the output is extremely large, it will be diverted to a file in your site's /home/logs directory.
You can place customized PHP configuration directives in the file /home/conf/php.ini. This file will not exist by default, so you'll have to create it and make sure it is readable but not writable by the web server (644 permissions). These options will be parsed at the master level (above even PHP_INI_SYSTEM); you may use any directive supported by the version of PHP you are using, including those marked as "php.ini only." Your php.ini file is parsed in addition to, not in lieu of, the system php.ini file, so you only need your site-specific changes.
Note: The php.ini file is not parsed on every request. Changes may take a few minutes of idle time to take effect. (Which, if your site is never idle, may mean they never take effect.) If you want to help it along, you can place your site in maintenance mode or temporarily disable it for a minute or two to ensure that all running processes are killed. Use the phpinfo() function to review the running config and confirm that your changes have been processed.
upload_max_filesize = "20M"
display_errors = Off
log_errors = On
extension = "/home/protected/mycustomphpextension.so"
For more information about which PHP configuration directives are available at which level, see the official PHP documentation.
For PHP 5.4 and later, PHP and CGI have the same base path: /home.
For older versions of PHP, the path is based on the Apache site root and can vary based on when your site was created and when it was last reconfigured. To make sure you stay pointed at the right location, use the PHP-standard $_SERVER['DOCUMENT_ROOT'] value to refer to your site's public directory.
We also provide the $_SERVER['NFSN_SITE_ROOT'] variable for this purpose, in addition to DOCUMENT_ROOT. NFSN_SITE_ROOT points to your site's root directory, the parent of public and protected, making it the best choice for safely referring to the protected directory from PHP.
We strongly recommend that you use $_SERVER['DOCUMENT_ROOT'] or $_SERVER['NFSN_SITE_ROOT'] whenever possible and avoid hardcoding paths in order to avoid problems in the event of a change. If you have to hardcode the path (for a third-party app not smart enough to understand variables or similar), get it from the "Apache Site Root" value under "Config Information" on your site info panel, but keep in mind the possibility that it could change someday.
We keep in-depth information about various aspects of PHP in these locations:
The best one is the one that works best for you. HTML editors vary widely in terms of features, methodology, and target audience. There is no way to recommend a single best tool for everyone. If the program gets the results you want and you understand how to use it, then it is right for you.
There are many commercial programs that work as well. Some of them are listed in our Pre-Sales FAQ.
There are also many freeware, public domain, and shareware utilities for editing web pages. We don't have any specific recommendations in that area because things tend to change very rapidly. A great place to start if you want to learn more about these programs is the About.com HTML Editors page.
Some factors to consider in choosing a program are:
The NearlyFreeSpeech.NET web site is entirely maintained using vi, except for one guy who insists on using emacs. We do not recommend learning these tools to people getting started with HTML or the Unix command line, as they are both general-purpose text editors. The newer tools are purpose-built for editing HTML pages and are much easier to learn.
The PHP memory_limit is a legacy option that applied only to PHP 5.3 and earlier. This option is no longer used.
If you are still using PHP 5.3 for some reason, don't. It was discontinued years ago, is insecure, and its use is not supported in any form or fashion, including raising the hardcoded memory limit. If you encounter memory issues... or any other issues... with a PHP 5.3 site, the solution is to update the site to a supported version of PHP.
If you are using any supported version of PHP, you do not need to raise the per-process memory limit because there isn't one.
The World Wide Web Consortium (W3C) defines many web standards, and they have information about HTML and CSS. The standards documents can be a bit dry, but they are the definitive final word on the subject.
No. By default, this feature of PHP is not enabled. It is widely considered a serious security risk and we have seen a number of member sites victimized by exploits related to having register_globals enabled. We discourage its use.
However, if you understand the implications of register_globals and you are prepared to accept the increased security risks associated with its use, we have provided you with the means to enable it on a per-directory basis. Simply create an .htaccess file in your public folder containing the line:
php_flag register_globals on
You can verify that this is working by using the phpinfo() function on a PHP page. You should see register_globals set to "On" in the local context and "Off" in the global context.
If you do not need register_globals support, you do not need to take any steps to protect your site from exploits related to it.
The path to the root of your site is always seen as /home by CGI scripts, by modern (5.4+) PHP, by any daemon processes you run, and by you via ssh access.
This is reflected in the NFSN_SITE_ROOT environment variable, which will always be set to /home for CGI scripts.
To switch a site between PHP versions, follow these steps:
Note: If you do not see a "PHP Version" line in your site's Config Information box, your site's selected server type may be out of date, or may not support PHP at all. To resolve this, you can change your site's server type.
Make sure all of your SSI (.shtml) files use relative path paths. The supported SSI for including other files or the output of CGI applications is:
<!--#include virtual="../relative/path/app.cgi" -->
The "#exec cmd" and "#include file" directives are deprecated and are not guaranteed to work at all on our system.
By default, CGI scripts are executed as the "web" user and group, which has almost no privileges on our system. In most cases, this is the best choice, as it controls the damage that a vulnerable script can inflict. However, for some file-management and other applications, it is necessary for a script to run with the full permissions of the user that owns your files (i.e. you, a.k.a. the "me" user ID when viewed from ssh).
To this end, we allow you to set the suid and/or sgid file permission bits on CGI applications. When the suid bit is set, the web server will execute the script using the user id of the owner of the script (provided that the owner of the script is you). When the sgid bit is set, the web server will execute the script using the group id of the group that owns the script. It is safe to use the suid/sgid bits for this purpose; our system does not otherwise honor them.
Please note that there are security implications to running web scripts as your own user ID. If such a script is compromised, you will need to delete your entire site and recreate it from scratch or otherwise manually check every single file because there will be no other way to ensure that other files have not been subtly changed. For this reason, we strongly discourage the indiscriminate use of this feature as a substitute for properly setting up file permissions.
You may be able to use our ssh environment to compile your application for our servers; we provide C & C++ compilers for this purpose. However, we only provide these tools as-is; you are completely on your own with respect to using them or getting custom CGI applications to run on our servers.
In order to write files successfully from the web server (e.g. via a PHP script), one of two criteria must be met:
By default, most files and directories are not writable by the web server. This is an important security precaution, as this prevents minor (and, sadly, common) security flaws in tools like PHP from turning into catastrophic site-wide destruction. Consequently, you must decide in advance which files and/or directories you will allow the web server to write to. (The exception to this rule is that files created by the web server will generally be writeable by the web server by default.)
The web server runs as the "web" user and is in (only) the "web" group. Each site also has its own private user and group unique to that site. When you create a file, it will go into the site's private user and group. As a result, there are three ways to mark a file or directory as writeable by the web server.
So, setting files or directories to be writable by the web server is a two step process:
Usually people have trouble getting the web server to write files, but the reverse problem is also possible: when the web server creates files, it is possible for it to set them such that you can't access (or delete) them. If this happens, you can repossess the offending files. To prevent it from happening in the first place, make sure your scripts use an appropriate umask, such as 002. This will cause files and directories to be created with read and write permissions for the web group, which you are in, so you will retain access to them.