On 2020-06-07 3:12 p.m., Klaus Neudecker wrote:
Hello,
I have my Apache main directory: /www (<Directory /www> / DocumentRoot
/www)
In this directory and its subdirectories *.php files get executed by php.
In the subdirectory /www/publications (and recoursly in its
subdirectories) I allow people (relatively trustworthy!) on the
filesystem to drop publications, documentations e.g. which are
referenced by a database as path+filename to the files. php then
produces with this database information www-pages with html-links to
these files.
If people drop *.php files as documentation for the source code(!) in
/www/publications these *.php scripts get executed, too. Dangerously(!)
and no documentation for the source code.
Therefore I want that no *.php files get executed within
/www/publications . It should be stupidely delivered like a *.html file.
Maybe I've misunderstood your intentions, but.... In general, all files
in your /www should have permissions set to 644 and owned by www-data
(or another name for apache2.) Your true "executable" files, libraries
whatever should be excluded from DocumentRoot, maybe in /usr/share/myapp
or any other bin/sbin location located through your envars either system
wide or specifically for your setup in a .conf file, typically in
/etc/myapp. Anything less is probably going to leave you wide open to
mistakes and/or abuse, even by "relatively trustworthy" users.
Even if you relax permissions, e.g. 666 for files in user accessible
directories, you should never make them executable (unless you enjoy
rebuilding your server every time a script-kiddie wants to have fun.)
Good luck -- P.
I already managed this by a .htaccess file with the entry "php_flag
engine off".
But the .htaccess file could be deleted or .htaccess files with
"php_flag engine on" could get put in another subdirectory. :-(
Therefore:
a) I want to put the "php_flag engine off" in the apache2.conf.
b) Add an "AllowOverride" in this apache2.conf that allowes ONLY no
switching OF THE "PHP_FLAG ENGINE OFF" in this directory or any
subdirectory. (But I have to be able to use a .htaccess in these
directories with e.g. "Options +Indexes"!)
Does anyone of you have an idea how to implement this in the apache2.conf?
Sincerely
Klaus
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
