Jump to content

permissions on a login folder out of the public_html


Recommended Posts

I read a while ago that it is best to place database login files out of the web root directory on your server, and that the idea behind it was so that if someone managed to see the directory listing they would not be able to just read the login details.

 

So, as a result i went and place my login files back one directory from the public_html and then in a new directory called 'login'.

 

But say someone did manage to somehow see my directory listing for the public_html folder, what username would they be logged onto the server as? And is this not the same username as the php program? Thus in the permissions for my new login directory should i only allow the php program username access to it?

I read a while ago that it is best to place database login files out of the web root directory on your server, and that the idea behind it was so that if someone managed to see the directory listing they would not be able to just read the login details.

 

Clients cannot view the contents of php files unless your server becomes misconfigured and starts spitting out php as raw text.

 

The rest of your question is far too vague to answer and depends entirely on how the client gains access.

 

ok,

 

So say my apache failed or my php program failed and instead of the user accessing my domain seeing the websites pages they instead saw the source of the php, is this the extent of the damage?

 

Would they be able to jump around my servers directory outside of the public root?

 

Number 5 on the security guide on this site (http://www.phpfreaks.com/tutorial/php-security) talks about placing files out of the public_html and including them, however i was just wondering if a random user would ever be able to access them?

 

EG:

var/www/index.php    calls for a login file:

var/wwwlogins/publicLogin.php  permissions on wwwlogins: user access/write/list only and owner is www-data, and as adam posted this is the username of the apache

 

If something failed, would there be any way of a random person somehow working their way back to wwwlogins to read the publicLogin.php file, thus learning my passwords?

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.