Security question: apache access but no DH user ac


Is there a way to allow apache (dhapache) access to my web files, but disallow other dreamhost shell users from accessing them? According to the wiki (, to allow apache access, the directories need to be executable by other (o+x) and files need to be readible by other (o+r).

I have a ZenPhoto site. I want only my family members to be able to see it. As a result, I set it up with logins per member (using the ZenPhoto interface).

This works well for me. However, a possible scenario occurs to me:

I need to have the zenphoto directory be “world” readable so that Apache can get to it. However, doesn’t this mean that all other DreamHost shell users can also get to it?

More generally, my home directory has permissions 751 (the default). However, doesn’t that mean that anyone can cd into it? If, the zenphoto directory has permissions of 755, can’t anyone cd into that sub-directory and list the files? If, then a picture file in there (call it compromising.jpg) has permissions 644, can’t anyone look at it?



You can try to protect the directory with a username and password via DH panel --> Goodies --> Htaccess/WebDav

$50 off and 3 free domains with code: [color=#CC0000]DH3[/color] Sign Up NOW or More Codes Here


Thanks for the suggestion, patrick. However, using the WebDAV/htaccess method restricts you from accessing the directory using ssh (shell access). I know this is the case with WebDAV; not sure about htaccess.

Nonetheless, it does solve the problem in that the only way to access the directory will now be via the web. So, no one (including you) can access it from your shell account. I was wondering if there’s a way to allow shell access, allow limited (login) web access, but restrict other dreamhost users from shell access.



I don’t think that is possible.

Once you give access to the public, even with limited web access, the read permission must be granted to all. Therefore all users from web and shell have access to read the files. The only way to protect the directory is to set a username and password using htaccess or webdav.

If that does not work for you, I can’t think of anything to help. Let’s see other’s replies.

$50 off and 3 free domains with code: [color=#CC0000]DH3[/color] Sign Up NOW or More Codes Here


Turning on Enhanced Security for your user will stop others with shell access from getting into your home directory. Apache still runs, as it has the same access you do.

Did you manually install Zenphoto? The Easy One-Click install doesn’t go into your home directory.



Does Apaches still have the access on the directory if enhanced security is turned on?

$50 off and 3 free domains with code: [color=#CC0000]DH3[/color] Sign Up NOW or More Codes Here


It does for me. I have it turned on for all of my users.



that is good.

I haven’t tried that but it is a really good feature.

$50 off and 3 free domains with code: [color=#CC0000]DH3[/color] Sign Up NOW or More Codes Here


Excellent, Scott. This is exactly what I was looking for.

I was going down the path of chgrp my directory to dhapache. The DH admins did it for me with a test case. I’ll let you know if that works (too). I didn’t realize the web-panel had the equivalent functionality built-in. Thanks!