his scripts are in /var/www where they belong but it should be running as an unprivileged user so if I do get shell access I can't do any damage. someone needs to school sid on best practices.