| Re: php includes in readable directory [message #181833 is a reply to message #181832] |
Sun, 09 June 2013 10:59   |
J.O. Aho
Messages: 194
Registered: September 2010
Karma:
|
Senior Member |
|
|
On 09/06/13 11:39, John Anderson wrote:
> Hello,
> I've got a website where the apache directory is available to other
> users with shell accounts: /var/www/html.
>
> If I put something like 'db_login.php' in there with a MySQL password in
> it, and include it from index.php, then anyone with shell access will be
> able to read it.
No, it depends on owner/group and other permissions
Say you have a file x.php, it's owned by the user john and belongs to
the www-data group, and it has the following permissions:
-rw-r----- 1 john www-data 0 Jun 9 12:44 x.php
Then the apache (assuming not using suExec) can read the file and john
can read and write to the file, but any one else (except root) won't be
able to read the file.
In Linux and Unix it's not a location of a file which determines if
someone can read a file, but the permissions on the file and on the
whole path to the file.
You can have a file y.php which has the following permissions:
-rw-r--r-- 1 john www-data 0 Jun 9 12:44 y.php
and the /var/www/html has the following permissions:
drwxr-x--- 1 john www-data 0 Jun 9 12:44 html
the file y.php is still only accessible for john and all members of
www-data group and root.
> So I move it out, but where? Is there a 'standard' place to put stuff
> like this? /usr/local seems too 'root-like', and I don't really want to
> put it into my $HOME, and give httpd the right to see in there.
If I would be you, I would have things setup the following way:
The DocumentRoot is /var/www/example.net/html (replace example.net with
your domain name for the site, including subdomain if a such).
Place your site in /var/www/example.net/html eg your index.php
Place all your configuration files in /var/www/example.net/ eg your
db_login.php.
Secure the /var/www/example.net by only allow you and apache to be able
to access the files in this directory. Give apache only read permission
to files/directories which it's just allowed to read or execute (keep in
mind php files do not need execution permission set for it's not
executed as it is).
This way you protect your file from everyone who don't belong to the
group which is apaches default group and those who visit the site can't
directly access the config file as it's outside the DocumentRoot.
A good thing is to not spread your file all around the server, as it
will be more difficult to maintain. Just see to secure your files with
the correct permissions and owner/group belongings.
--
//Aho
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]