maccy93 Posted November 24, 2011 Share Posted November 24, 2011 I read a while ago that it is best to place database login files out of the web root directory on your server, and that the idea behind it was so that if someone managed to see the directory listing they would not be able to just read the login details. So, as a result i went and place my login files back one directory from the public_html and then in a new directory called 'login'. But say someone did manage to somehow see my directory listing for the public_html folder, what username would they be logged onto the server as? And is this not the same username as the php program? Thus in the permissions for my new login directory should i only allow the php program username access to it? Quote Link to comment https://forums.phpfreaks.com/topic/251713-permissions-on-a-login-folder-out-of-the-public_html/ Share on other sites More sharing options...
trq Posted November 24, 2011 Share Posted November 24, 2011 I read a while ago that it is best to place database login files out of the web root directory on your server, and that the idea behind it was so that if someone managed to see the directory listing they would not be able to just read the login details. Clients cannot view the contents of php files unless your server becomes misconfigured and starts spitting out php as raw text. The rest of your question is far too vague to answer and depends entirely on how the client gains access. Quote Link to comment https://forums.phpfreaks.com/topic/251713-permissions-on-a-login-folder-out-of-the-public_html/#findComment-1290908 Share on other sites More sharing options...
Adam Posted November 24, 2011 Share Posted November 24, 2011 PHP runs under the Apache username, if that answers it? Quote Link to comment https://forums.phpfreaks.com/topic/251713-permissions-on-a-login-folder-out-of-the-public_html/#findComment-1290913 Share on other sites More sharing options...
maccy93 Posted November 24, 2011 Author Share Posted November 24, 2011 ok, So say my apache failed or my php program failed and instead of the user accessing my domain seeing the websites pages they instead saw the source of the php, is this the extent of the damage? Would they be able to jump around my servers directory outside of the public root? Number 5 on the security guide on this site (http://www.phpfreaks.com/tutorial/php-security) talks about placing files out of the public_html and including them, however i was just wondering if a random user would ever be able to access them? EG: var/www/index.php calls for a login file: var/wwwlogins/publicLogin.php permissions on wwwlogins: user access/write/list only and owner is www-data, and as adam posted this is the username of the apache If something failed, would there be any way of a random person somehow working their way back to wwwlogins to read the publicLogin.php file, thus learning my passwords? Quote Link to comment https://forums.phpfreaks.com/topic/251713-permissions-on-a-login-folder-out-of-the-public_html/#findComment-1290916 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.