httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ravindra Jaju <j...@it.iitb.ac.in>
Subject Preventing access to certain files via the server process
Date Wed, 10 Jul 2002 14:50:44 GMT
Hi.

Consider the following scenario.

In directory PRODIR ( short for protected directory ), I have certain
files which contain sensitive information ( say, database passwords,
embedded in some PHP scripts ). Let's consider "passwords.inc"

The PRODIR is protected with the .htaccess file, so no one can
_directly_ access those files through the web-server.

Files:
$PRODIR/.ht*
$PRODIR/passwords.inc

I don't want the passwords to be seen by other users on the same
system as well. So, the file permissions are such that others can't
see those files ( owner=user, group=group-of-apache-process and
perms = 750 )

Now -

bash$ cat $UNPRODIR/crack.php
<? include( $PRODIR/passwords.inc ); ?>

Obviously, PHP ( or anything else ) won't respect the rules set for Apache.
Is there a way in which such add-ons ( like PHP ) can call Apache back
for such authorization services?

Of course, there can be work-arounds like making the user supply extra
information ( login/password ) through the browser and then using cookies,
but is there any other way?

regards,
jaju


Mime
View raw message