Keith, in an old post you wrote: It is important to note, an actual editor should NOT be run from the common folders on a multi-domain installation. That is why we recommend creating a sub domain. That sub domain should contain ONLY the editwrx files and should not contain a working /data/users.txt or /data/config.txt or even a wrx.cgi. That common set of files should be a library only.
Due to my current server software subdomains get created under the web document root of the parent domain. Therefore I do not use a subdomain (I do not see the point). I installed editwrx under a folder called "editwrx" in the web document root. I have left the wrx.cgi, users.txt, and config.txt. The reason I have done this is to allow me to use the automated upgrade to upgrade the central copy of EditWrx. Why is it not recommended to run with the above files in place? If I remove the files above what is the recommended way to upgrade? Manually?
If you are going to do automatic updates, the library files need to be in the parent domain's path as you've done. Since your subdomain's are inside the parent's path it would make no sense for you to place the library in a subdomain. You are correct.
On a parent/child installation the child must have a clear pathway to the library. That means that the permissions for the parent's document root has to be 755. Many servers, such as Plesk, set the document root at 750. The 750 prohibits any users on the server from accessing the path except the owner of that domain. The caution to place libraries in a subdomain is targeted to anyone who has sensitive data, such as credit card info, in the path. With 755 permissions anyone on the server can read the files in that path, as long as the file itself has 644 or greater permissions.
Personally I do not use a subdomain for my parent. I'm on Plesk and I have the permissions on the parent's document root set at 755. And I DO have sensitive data files in the parent domain. I give those sensitive data file only 600 permissions. That way anyone on the server can enter the parent and read only the same files that Apache would deliver to a browser - no compromise. But the 600 permissioned files can only be read by the owner of the files in the domain - me.
