FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » Imported messages » comp.lang.php » php includes in readable directory
Show: Today's Messages :: Unread Messages :: Show Polls :: Message Navigator
| Subscribe to topic | Bookmark topic 
Switch to threaded view of this topic Create a new topic Submit Reply
php includes in readable directory [message #181832] Sun, 09 June 2013 05:39 Go to next message
John Anderson is currently offline  John Anderson
Messages: 2
Registered: June 2013
Karma: 0
Junior Member
add to buddy list
ignore all messages by this user
Hello,
I've got a website where the apache directory is available to other
users with shell accounts: /var/www/html.

If I put something like 'db_login.php' in there with a MySQL password in
it, and include it from index.php, then anyone with shell access will be
able to read it.

So I move it out, but where? Is there a 'standard' place to put stuff
like this? /usr/local seems too 'root-like', and I don't really want to
put it into my $HOME, and give httpd the right to see in there.

Thanks.
Re: php includes in readable directory [message #181833 is a reply to message #181832] Sun, 09 June 2013 06:59 Go to previous messageGo to next message
J.O. Aho is currently offline  J.O. Aho
Messages: 194
Registered: September 2010
Karma: 0
Senior Member
add to buddy list
ignore all messages by this user
On 09/06/13 11:39, John Anderson wrote:
> Hello,
> I've got a website where the apache directory is available to other
> users with shell accounts: /var/www/html.
>
> If I put something like 'db_login.php' in there with a MySQL password in
> it, and include it from index.php, then anyone with shell access will be
> able to read it.

No, it depends on owner/group and other permissions
Say you have a file x.php, it's owned by the user john and belongs to
the www-data group, and it has the following permissions:

-rw-r----- 1 john www-data 0 Jun 9 12:44 x.php

Then the apache (assuming not using suExec) can read the file and john
can read and write to the file, but any one else (except root) won't be
able to read the file.

In Linux and Unix it's not a location of a file which determines if
someone can read a file, but the permissions on the file and on the
whole path to the file.

You can have a file y.php which has the following permissions:

-rw-r--r-- 1 john www-data 0 Jun 9 12:44 y.php

and the /var/www/html has the following permissions:

drwxr-x--- 1 john www-data 0 Jun 9 12:44 html

the file y.php is still only accessible for john and all members of
www-data group and root.


> So I move it out, but where? Is there a 'standard' place to put stuff
> like this? /usr/local seems too 'root-like', and I don't really want to
> put it into my $HOME, and give httpd the right to see in there.

If I would be you, I would have things setup the following way:

The DocumentRoot is /var/www/example.net/html (replace example.net with
your domain name for the site, including subdomain if a such).

Place your site in /var/www/example.net/html eg your index.php

Place all your configuration files in /var/www/example.net/ eg your
db_login.php.

Secure the /var/www/example.net by only allow you and apache to be able
to access the files in this directory. Give apache only read permission
to files/directories which it's just allowed to read or execute (keep in
mind php files do not need execution permission set for it's not
executed as it is).

This way you protect your file from everyone who don't belong to the
group which is apaches default group and those who visit the site can't
directly access the config file as it's outside the DocumentRoot.

A good thing is to not spread your file all around the server, as it
will be more difficult to maintain. Just see to secure your files with
the correct permissions and owner/group belongings.

--

//Aho
Re: php includes in readable directory [message #181834 is a reply to message #181832] Sun, 09 June 2013 09:11 Go to previous messageGo to next message
Thomas 'PointedEars'  is currently offline  Thomas 'PointedEars'
Messages: 701
Registered: October 2010
Karma: 0
Senior Member
add to buddy list
ignore all messages by this user
John Anderson <johnand982SPAM(at)gmail(dot)com> wrote:

> [something]

<http://news.individual.net/rules.php>

HTH

PointedEars
--
Danny Goodman's books are out of date and teach practices that are
positively harmful for cross-browser scripting.
-- Richard Cornford, cljs, <cife6q$253$1$8300dec7(at)news(dot)demon(dot)co(dot)uk> (2004)
Re: php includes in readable directory [message #181835 is a reply to message #181832] Sun, 09 June 2013 09:16 Go to previous messageGo to next message
Jerry Stuckle is currently offline  Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
Senior Member
add to buddy list
ignore all messages by this user
On 6/9/2013 5:39 AM, John Anderson wrote:
> Hello,
> I've got a website where the apache directory is available to other
> users with shell accounts: /var/www/html.
>
> If I put something like 'db_login.php' in there with a MySQL password in
> it, and include it from index.php, then anyone with shell access will be
> able to read it.
>
> So I move it out, but where? Is there a 'standard' place to put stuff
> like this? /usr/local seems too 'root-like', and I don't really want to
> put it into my $HOME, and give httpd the right to see in there.
>
> Thanks.
>

Security 101L: Accounts should only have access to what they need.
Unless they are directly involved in coding the website, they should not
have access to /var/www/html.

You need to study up on Linux permissions (and perhaps get a Linux admin
to help you configure you system correctly).

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
Re: php includes in readable directory [message #181836 is a reply to message #181835] Sun, 09 June 2013 10:27 Go to previous messageGo to next message
John Anderson is currently offline  John Anderson
Messages: 2
Registered: June 2013
Karma: 0
Junior Member
add to buddy list
ignore all messages by this user
In article <kp1uur$8nj$1(at)dont-email(dot)me>,
Jerry Stuckle <jstucklex(at)attglobal(dot)net> wrote:

> On 6/9/2013 5:39 AM, John Anderson wrote:
>> Hello,
>> I've got a website where the apache directory is available to other
>> users with shell accounts: /var/www/html.
>>
>> If I put something like 'db_login.php' in there with a MySQL password in
>> it, and include it from index.php, then anyone with shell access will be
>> able to read it.
>>
>> So I move it out, but where? Is there a 'standard' place to put stuff
>> like this? /usr/local seems too 'root-like', and I don't really want to
>> put it into my $HOME, and give httpd the right to see in there.
>>
>> Thanks.
>>
>
> Security 101L: Accounts should only have access to what they need.
> Unless they are directly involved in coding the website, they should not
> have access to /var/www/html.
>
> You need to study up on Linux permissions (and perhaps get a Linux admin
> to help you configure you system correctly).

Thanks, but I've administered Solaris for twenty years.

I've just never done any PhP until now.
Re: php includes in readable directory [message #181837 is a reply to message #181832] Sun, 09 June 2013 11:44 Go to previous messageGo to next message
Fred is currently offline  Fred
Messages: 5
Registered: November 2012
Location: Mumbai
Karma: 0
Junior Member
add to buddy list
ignore all messages by this user
On 06/09/2013 11:39 AM, John Anderson wrote:
> Hello,

Hello,

> I've got a website where the apache directory is available to other
> users with shell accounts: /var/www/html.

why?

>
> If I put something like 'db_login.php' in there with a MySQL password in
> it, and include it from index.php, then anyone with shell access will be
> able to read it.
>
> So I move it out, but where? Is there a 'standard' place to put stuff
> like this? /usr/local seems too 'root-like', and I don't really want to
> put it into my $HOME, and give httpd the right to see in there.
>
> Thanks.

you can do it with the apache module mod_userdir.
Re: php includes in readable directory [message #181838 is a reply to message #181836] Sun, 09 June 2013 16:09 Go to previous messageGo to next message
Denis McMahon is currently offline  Denis McMahon
Messages: 634
Registered: September 2010
Karma: 0
Senior Member
add to buddy list
ignore all messages by this user
On Sun, 09 Jun 2013 15:27:13 +0100, John Anderson wrote:

> Thanks, but I've administered Solaris for twenty years.
>
> I've just never done any PhP until now.

Don't put the password file anywhere under the webroot.

If you've been administering solaris for the last 20 years, then it's
reasonable to assume that you know enough about setting file and dir
permissions to place a file in your $HOME that is editable by you and
readable by www-data, without exposing the rest of your $HOME to being
readable by www-data.

--
Denis McMahon, denismfmcmahon(at)gmail(dot)com
Re: php includes in readable directory [message #181839 is a reply to message #181836] Sun, 09 June 2013 16:57 Go to previous message
Jerry Stuckle is currently offline  Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
Senior Member
add to buddy list
ignore all messages by this user
On 6/9/2013 10:27 AM, John Anderson wrote:
> In article <kp1uur$8nj$1(at)dont-email(dot)me>,
> Jerry Stuckle <jstucklex(at)attglobal(dot)net> wrote:
>
>> On 6/9/2013 5:39 AM, John Anderson wrote:
>>> Hello,
>>> I've got a website where the apache directory is available to other
>>> users with shell accounts: /var/www/html.
>>>
>>> If I put something like 'db_login.php' in there with a MySQL password in
>>> it, and include it from index.php, then anyone with shell access will be
>>> able to read it.
>>>
>>> So I move it out, but where? Is there a 'standard' place to put stuff
>>> like this? /usr/local seems too 'root-like', and I don't really want to
>>> put it into my $HOME, and give httpd the right to see in there.
>>>
>>> Thanks.
>>>
>>
>> Security 101L: Accounts should only have access to what they need.
>> Unless they are directly involved in coding the website, they should not
>> have access to /var/www/html.
>>
>> You need to study up on Linux permissions (and perhaps get a Linux admin
>> to help you configure you system correctly).
>
> Thanks, but I've administered Solaris for twenty years.
>
> I've just never done any PhP until now.
>

OK, so you're familiar with Linux administration. There isn't any
difference between PHP and any other language; you provide the necessary
access and only the necessary access.

Perhaps your problem is not understanding how to configure your system
for an Apache environment, where all users run under www-data.

The question remains - if you have only one website on your system, why
would you have untrusted users accessing /var/www/html? If you do have
multiple sites, why would any sites have access to other sites files?
(I keep multiple sites in their own directories, i.e.
/var/www/example/html, /var/www/invalid/html, etc.

If you're concerned about other sites files accessing your
userid/password from PHP code, perhaps you need to look into chroot-ing
Apache. If you're not familiar with chroot, it will take a little
setting up. But there are a number of good tutorials on the web.



--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
Quick Reply
Formatting Tools:   
  Switch to threaded view of this topic Create a new topic
Previous Topic: There is no more attempt to draw the mind of children
Next Topic: Re: Using Crystal Reports with PHP
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Sat Oct 21 13:54:08 EDT 2017

Total time taken to generate the page: 0.00711 seconds