Writing

Atom feed icon Software, technology, sysadmin war stories, and more.

Thursday, May 1, 2025

Some thoughts on how control over web content works

During the lockdown of 2020 and subsequent Twilight Zone times that followed, I learned a bit about how a local restaurant's web site operates. That web site had become the lifeline for the business since everything had turned into takeout or delivery, and it wasn't always right, so I brought it up with the owner. He said he had "a guy who takes care of it". This makes sense since his thing was running a restaurant and keeping that going. He doesn't sit around dealing with domain names and web sites every day.

At one point "his guy" became unreachable for several months, and the restaurant owner asked me what his options were since he knew I was "one of these computer people". I had to lay out the top to bottom of how this stuff works in terms of "this content gets displayed with this name on it", and figured it might benefit others if I put some variant of it online.

Let's say you're the restaurant owner. You're paying some third party to run a web site and list your menu, hours, and that kind of stuff. They might also have some kind of thing rigged up to send orders through online, or an agreement with yet another vendor to do it through them.

You need to get something changed on the site. Maybe your menu changed and you need to warn people about the increased price of egg-based products. Maybe you have new hours of operation. Whatever. What steps can make that happen?

In no particular order, an incomplete list:

"Ask them to change it" - contact your person (people) and ask them to change it. That's what you're paying them for. You are paying them, right?

"Change the actual files" - find out how the serving of content works, gain access to it, and then make changes to the file(s). This requires account access to whatever they happen to be using to run the site. If it's just a bunch of flat files on a disk somewhere, it might be easy. If it's just one entry in a much bigger system, it might not. Also you have to know how to do this and/or have new people to do this for you (as with most of the entries in this list).

"Replace the document root" - figure out how the web server works, then swing your-restaurant.example.com around from their directory to your directory, or do the equivalent database wrangling if it's some dynamic thing. This requires some admin powers on the box/system itself.

"Take over the server" - gain admin powers on the box through security holes or good old-fashioned physical access and single-user mode. Then go in and change the document root, edit the files, or do whatever else you feel like doing. Requires security skills and/or physical access to the server.

"Replace the server" - find out where the server is (assuming it's just one machine) and then physically replace it with one that you control but is otherwise configured for the right IP address(es) and whatever else is required to serve the site. This might mean "unplug the old one and plug a new one in on the same spot". Requires physical access to the hosting arrangements, and if it's in the clown, yeah, forget about it.

"Change the DNS" - get access to whatever controls the DNS zone for that domain and repoint it to new hosting arrangements with new content installed. This means changing things like A and AAAA records and/or CNAMEs. Requires ability to log in to whatever's running the show.

"Change the primary nameservers" - get into the account at the registrar for the domain and repoint the primary nameservers to ones where you can set the data for the domain. Continue as above. Requires ability to log into the registrar account.

"Move the domain to another registrar" - maybe you can't get into the existing registrar, but maybe you can go through the transfer process to pull it to another one where you can change the nameservers. Then you proceed as in that option (above). Requires ability to transfer a domain, which typically involves a one-time key from the "losing" registrar, which in turn usually involves access to the account. There may be legal options for *yoinking* the domain without such access, assuming you can prove ownership, or otherwise bludgeon the companies involved into doing what you want.

Basically, if you actually own some of the items in question, you have options. If you are the owner of the registrar account and it's just some rando tech person who's a contact on it that does the work, you authenticate yourself to the registrar out of band, have them removed, get yourself (or a new tech rando) installed, and continue from there. The same applies for the DNS serving, or the actual web hosting.

This pattern pretty much plays out everywhere: is it your account? Or, did you pay them to "take care of everything" and your only "interface" to it is through them?

I don't think people really know the implications of some of these setups.

More writing | Contact / send feedback