security question: includes outside doc root

29/06/2007, 10h03

I read that from a security point of view includes (containing php
code) should be located outside document root.
On an LAMP server, where do you place those includes ?
My document root is /var/www/html (/var/www/html/site1, /var/www/html/
site2, ...). Is for example /var/www/phpincludes/ good enough for
security reasons ?
(This way I do not have to change backup jobs).

Thanx,

JM

29/06/2007, 11h10

Pugi! wrote:
> I read that from a security point of view includes (containing php
> code) should be located outside document root.
> On an LAMP server, where do you place those includes ?
> My document root is /var/www/html (/var/www/html/site1, /var/www/html/
> site2, ...). Is for example /var/www/phpincludes/ good enough for
> security reasons ?

Your document root(s) you find in your apache settings, easy way to check
those is just do a grep for DocumnetRoot on those configuration files you have
for you sites.

Your document root seem to be /var/www/html/site1 for site1, so for that one
you can place files in /var/www/html/ and you will be outside the sites root
directory.
Your document root seem to be /var/www/html/site2 for site2, so for that one
you can place files in /var/www/html/ and you will be outside the sites root
directory.
If you have a default server running which has /var/www/html as document root,
then change that as fast as possible, as this can lead to security overrides,
create a new document root for it, example /var/www/html/default and move all
files there that hasn't anything to do with your other sites.

The answer to your question is that /var/www/phpincludes/ is outside your
document roots.

--

//Aho

04/07/2007, 22h31

On 29 Jun, 10:03, Pugi! <pugin...@gmail.com> wrote:
> I read that from a security point of view includes (containing php
> code) should be located outside document root.
> On an LAMP server, where do you place those includes ?
> My document root is /var/www/html (/var/www/html/site1, /var/www/html/
> site2, ...). Is for example /var/www/phpincludes/ good enough for
> security reasons ?
> (This way I do not have to change backup jobs).

FFS! Pugi! thats the last thing on your list of priorities when
choosing a directory.

Also one directory is far from appropriate for a sensible
architecture. I use at least 3

/usr/share/php/ - stuff supplied off-the-shelf - PEAR,frameworks etc
/usr/local/phpenv.inc/ - stuff specific to the environment this server
runs in (develop/test/live) e.g. database credentials, database
server, list of servers in cluster
/usr/local/phpbox.inc/ - stuff unique to this server

How you organise them should be determined by how you manage your
servers filesystems - if that means changing your backup....guess
what.

C.

29/06/2007, 10h03	#1 (permalink)
Pugi! Messages: n/a Hébergeur:	security question: includes outside doc root I read that from a security point of view includes (containing php code) should be located outside document root. On an LAMP server, where do you place those includes ? My document root is /var/www/html (/var/www/html/site1, /var/www/html/ site2, ...). Is for example /var/www/phpincludes/ good enough for security reasons ? (This way I do not have to change backup jobs). Thanx, JM

29/06/2007, 11h10	#2 (permalink)
J.O. Aho Messages: n/a Hébergeur:	Re: security question: includes outside doc root Pugi! wrote: > I read that from a security point of view includes (containing php > code) should be located outside document root. > On an LAMP server, where do you place those includes ? > My document root is /var/www/html (/var/www/html/site1, /var/www/html/ > site2, ...). Is for example /var/www/phpincludes/ good enough for > security reasons ? Your document root(s) you find in your apache settings, easy way to check those is just do a grep for DocumnetRoot on those configuration files you have for you sites. Your document root seem to be /var/www/html/site1 for site1, so for that one you can place files in /var/www/html/ and you will be outside the sites root directory. Your document root seem to be /var/www/html/site2 for site2, so for that one you can place files in /var/www/html/ and you will be outside the sites root directory. If you have a default server running which has /var/www/html as document root, then change that as fast as possible, as this can lead to security overrides, create a new document root for it, example /var/www/html/default and move all files there that hasn't anything to do with your other sites. The answer to your question is that /var/www/phpincludes/ is outside your document roots. -- //Aho

04/07/2007, 22h31	#3 (permalink)
C. Messages: n/a Hébergeur:	Re: security question: includes outside doc root On 29 Jun, 10:03, Pugi! <pugin...@gmail.com> wrote: > I read that from a security point of view includes (containing php > code) should be located outside document root. > On an LAMP server, where do you place those includes ? > My document root is /var/www/html (/var/www/html/site1, /var/www/html/ > site2, ...). Is for example /var/www/phpincludes/ good enough for > security reasons ? > (This way I do not have to change backup jobs). FFS! Pugi! thats the last thing on your list of priorities when choosing a directory. Also one directory is far from appropriate for a sensible architecture. I use at least 3 /usr/share/php/ - stuff supplied off-the-shelf - PEAR,frameworks etc /usr/local/phpenv.inc/ - stuff specific to the environment this server runs in (develop/test/live) e.g. database credentials, database server, list of servers in cluster /usr/local/phpbox.inc/ - stuff unique to this server How you organise them should be determined by how you manage your servers filesystems - if that means changing your backup....guess what. C.

Outils de la discussion
Afficher une version imprimable Envoyer un lien vers cette page par email