Yes I’ve read about the reason for not allowing users to change permissions on files and locking themselves, but I am wondering if the mod_php module is loaded to protect php files from ever being displayed as txt and being downloaded which would allow someone to see the code, yes I can mitigate the security by preventing directory listing in the htaccess file, but just trying to secure the php files that contain database connection info, luckily i had used chmod prior to this restriction being set so that only the web server user had access to read and execute the file, but wondering if going forward we should just expect that our php files would be secure enough while hosted here…thx.
Perhaps this will help??
5 Likes
You can be confident that we provide PHP hosting, which means that .php files will be fed to a PHP interpreter. Whether that will use mod_php or some other way to run PHP is up to us, but the end result is the same.
We execute PHP under your own user, which means your PHP code has pretty much the same access to your files as you do. So you cannot do anything like this with chmod rules.
Yes, this is all you can do.
Basically, if you don’t trust us to adequately secure your website, don’t host your website with us.
Because the same configuration files that would make it possible to download .php files instead of executing it also make it possible to disable any mitigations for the above (like changing executing users and disabling .htaccess files).
You’ve uploaded your website to our hosting environment, and we control how this environment works. That also means that we are technically able to change this. And you’ll just have to trust our intentions and our competence.
This goes for all hosting providers by the way. If you don’t trust anyone, you’ll have to purchase your own hardware and manage it yourself.
If by that you mean, some ideas on how NOT to do it, then absolutely.
That topic was a mess. But it turns out that if you want to both block all access to PHP files, but also want people to be able to access PHP files, things get confusing fast.
One thing you can do is to block or allow access only to specific files. For example, if you place your config.php file in a folder called config, and in that config folder you place a .htaccess file with the rule deny from all, it would prevent anyone from accessing anything directly in the config folder.
That won’t prevent people from being able to access any PHP code in the hypothetical situation where .php files are not longer treated as .php files, but it does let you keep sensitive data stored in specific files safe.
8 Likes
Wouldn’t downloading PHP files technically be impossible as PHP runs on the server and not the client? You’d have to do it on purpose to allow people to download it by printing out the contents of the PHP script, right?
@ealmonte32 if you want people not to access your PHP file directly, you can do this:
if(basename(__FILE__) == basename($_SERVER["SCRIPT_FILENAME"])) {
# Do something if the file was accessed directly and not from an include or require
exit;
}
1 Like
Well, you need some server config to say that if a file has a .php extension, it should be run through the PHP interpreter. If we (or the user, through bad mime type configuration) mess that up, the PHP source code could would just be shown to the visitor.
You can mitigate this a bit with .htaccess rules. But you can also configure on the server level whether .htaccess files get evaluated at all, and which directives are supported. And if you need to fix your own bad .htaccess code with more .htaccess code, that also seems like a rabbit hole.
7 Likes
Thanks, this is pretty much the best approach for this whole thing dealing with sensitive PHP files in environments where we don’t control directory permissions, etc.
I’ll simply use .htaccess file on both directories, in both to prevent directory listing, and in the config directory the deny all rule.
Thanks again.
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.