What permissions for PHP scripts/directories?

php sql apache permissions
91,367

Solution 1

Directories must have execute permissions to be usable. Usually this is 0755. PHP scripts run via mod_php are not executed but rather read; 0644 will suffice for this. Directories that must be written to need to be owned by the user the web server is running as. There may be additional concerns regarding permissions, e.g. SELinux, but the above will get you through the basics.

Documents that must not be accessed by other users or external clients should be 0600, owned by the web server user, and located outside the DocumentRoot. Note that running mod_php in Safe Mode will prevent scripts from ever including anything outside the DocumentRoot; a lamentable flaw.

Solution 2

Set php files to 640

For maximum security you should set minimum permissions, which is 640.

  • The owner 6 would be the one uploading the files.
  • The group 4 would be the one serving the file. Make apache a group member.
  • The nobody 0 means no other users can read this file. It's important since php scripts sometimes have passwords and other sensitive data.

Never allow php scripts to be read by everyone.

Useful commands:

chmod 640 file.php
chown user:group file.php
usermod -a -G group apache

What these commands are doing:

  1. Change ownership of file.php so user can read and write, group read.
  2. Change ownership of file.php, to chosen user name and group name.
  3. Add apache to the group, so that apache can serve the file. Otherwise 640 will not work.

Solution 3

1) Files that end with a .php extension are handed off to the PHP compiler by Apache. If the proper configuration is not set up to do so, PHP files get served up as text files by the server. The Apache configuration line "AddHandler php5-script php" in the httpd.conf file is the PHP5 method of setting this up.

2) register.php needs to be accessible at http://www.example.com/php/register.php, as the java app is looking for it, so in the Apache htdocs folder, there needs to be a "php" folder with the register.php file in it.

3) PHP files need read access by the user that's running the Apache service. Using PHP as an Apache module has no 'service' to speak of that's separate for PHP. Instead the Apache service, when it gets a request for a PHP file, makes a shell call to the PHP binary to parse the file and hand the Apache service the result, which it serves to the client. Only if you were using PHP from the command line (CLI setup) would the scripts need execute permission, and start with a #!/path/to/php-bin line.

4) The requested file (register.php) needs to be in htdocs in order to be served by Apache. If PHP is running with "Safe Mode" disabled, register.php could include a file that was outside the htdocs folder.

5) The path "../inc/db_login.php" is relative to the PHP script that was originally fetched (register.php), so, since register.php is in htdocs/php/register.php, that would put db_login.php at htdocs/inc/db_login.php.

Share:
91,367
christophe milard
Author by

christophe milard

Updated on March 05, 2020

Comments

  • christophe milard
    christophe milard about 4 years

    I am trying to help a friend moving a web-site from one web-hotel to another. The old place is already closed, I have only a flat tar file of what was in it.

    The web site contained HTML docs and one could download a little Java application (to be loaded on mobile phone) to send data to the web site.

    The mobile Java application sent a string to URL=<HOST>/php/register.php. This php script included another php script (../inc/db_login.php), which connected to a SQL DB using $link=mysql_connect(). Another file, register.php, did the SQL insert for putting the new sent data in the DB.

    My question is basicaly, where I should put this 2 PHP files on the new website and what permissions the directories and files should have?

    The old web server obviously had a /php and /inc directories. None of these exists on the new webserver. Should I create them? What permission should they have? I guess the reason for having the password in a separate PHP file was security. The /php and /inc directory probably had different permissions.

    The new server has directories:

    • /httpdos
    • /httpsdos
    • /cgi-bin
    • /conf (and some others probably irrelevant)

    My questions

    1. Does the file-extension (.php) mean something to the server: as PHP scripts are "included" in HTML code (between <?...?>, does the server need to look at the file suffix or is it irrelevant? (I understand that the server reacts on the <?...?>, of course)

    2. should the public file (register.php in my case) be placed in the httpdocs/ directory or does the server (apache I think) reacts on something and fetches it in another directory?

    3. Should the PHP script have permission R-X (read and execute), --X (execute) or R-- (read)? From a OS perspective I guess apache is just reading this files, meaning that they should be R--, but this would mean that if PHP service is "stopped" the client would get all the PHP code in his browser(?). I would prefer it being --X but as this is neither a binary nor has a #!, I guess it must be --R?

    4. If the public PHP script can be placed in another dir (e.g /php instead of /httpdocs) what should /php (and the script) have for permission?. I guess the server has to know about this /php directory (or are there usual defaults?)

    5. The PHP script included (../inc/db_login.php, containing SQL password) should not be under /httpdocs I guess. This means that my register.php is including a file which is not under the /httpdocs subtree. Does this work? Does the server need to know?

    I understand you may need to know the server configuration. Just assume the default in your answer (and you can tell where it is changed if it is).

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

file_put_contents php permissions
Internal server error while importing sql file?
Fatal error: Uncaught Error: Call to undefined function sqlsrv_connect()
Magento connect doesnt install extension
I cannot grant apache permissions to write to a file, what am I doing wrong?
PHP fopen() fails on files even with wide-open permissions
PHP print to printer (local / network) directly (stuck in print spooler)
mkdir(): Permission denied
Permission denied despite appropriate permissions using PHP
Apache permission denied