You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Ravindra Jaju <ja...@it.iitb.ac.in> on 2002/07/10 16:50:44 UTC
Preventing access to certain files via the server process
Hi.
Consider the following scenario.
In directory PRODIR ( short for protected directory ), I have certain
files which contain sensitive information ( say, database passwords,
embedded in some PHP scripts ). Let's consider "passwords.inc"
The PRODIR is protected with the .htaccess file, so no one can
_directly_ access those files through the web-server.
Files:
$PRODIR/.ht*
$PRODIR/passwords.inc
I don't want the passwords to be seen by other users on the same
system as well. So, the file permissions are such that others can't
see those files ( owner=user, group=group-of-apache-process and
perms = 750 )
Now -
bash$ cat $UNPRODIR/crack.php
<? include( $PRODIR/passwords.inc ); ?>
Obviously, PHP ( or anything else ) won't respect the rules set for Apache.
Is there a way in which such add-ons ( like PHP ) can call Apache back
for such authorization services?
Of course, there can be work-arounds like making the user supply extra
information ( login/password ) through the browser and then using cookies,
but is there any other way?
regards,
jaju