Protecting system PHP includes folder from local php script access
The Config:
Webserver Apache 2.2 / mod_php 5.3 (FreeBSD 8)
User websites: /home/user/public_html
Platform files /usr/local/myPlatform/
The Premise:
Each vhost in the apache config has the platform directory aliased to /myPlatform so it can be accessed via hxxp://www.mysite.com/myPlatform - This is to keep the source of the platform system safe from be being stolen by a user.
The Problem:
The platform directory is 500 owned by the apache user. This is good and keeps the shell users from being able to view the files and still allows apache to read and exec the php files. However, one could conceivably create a PHP script (which runs as apache) to parse the directo开发者_Python百科ry listing, copy the files and give them as a zip download or something to the person. Obviously this obscure and more or less unlikely but still possible.
Is there any way to prevent this? IE blacklist that directory from fopen, shell, and shell_exec
commands?
For that matter, is there a way to do this in such away that works for all server side scripting languages such as perl, in addition to php?
Possible to do this without suPHP or suExec?
精彩评论