Re: Disabeling PHP in a subdirectory via the apache2.conf?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 2020-06-07 3:12 p.m., Klaus Neudecker wrote:
Hello,

I have my Apache main directory: /www   (<Directory /www> / DocumentRoot /www)

In this directory and its subdirectories *.php files get executed by php.

In the subdirectory /www/publications (and recoursly in its subdirectories) I allow people (relatively trustworthy!) on the filesystem to drop publications, documentations e.g. which are referenced by a database as path+filename to the files. php then produces with this database information www-pages with html-links to these files.

If people drop *.php files as documentation for the source code(!) in /www/publications these *.php scripts get executed, too. Dangerously(!) and no documentation for the source code.

Therefore I want that no *.php files get executed within /www/publications . It should be stupidely delivered like a *.html file.

Maybe I've misunderstood your intentions, but.... In general, all files in your /www should have permissions set to 644 and owned by www-data (or another name for apache2.) Your true "executable" files, libraries whatever should be excluded from DocumentRoot, maybe in /usr/share/myapp or any other bin/sbin location located through your envars either system wide or specifically for your setup in a .conf file, typically in /etc/myapp. Anything less is probably going to leave you wide open to mistakes and/or abuse, even by "relatively trustworthy" users.

Even if you relax permissions, e.g. 666 for files in user accessible directories, you should never make them executable (unless you enjoy rebuilding your server every time a script-kiddie wants to have fun.)

Good luck -- P.


I already managed this by a .htaccess file with the entry "php_flag engine off".

But the .htaccess file could be deleted or .htaccess files with "php_flag engine on" could get put in another subdirectory.  :-(

Therefore:

a) I want to put the "php_flag engine off" in the apache2.conf.

b) Add an "AllowOverride" in this apache2.conf that allowes ONLY no switching OF THE "PHP_FLAG ENGINE OFF" in this directory or any subdirectory. (But I have to be able to use a .htaccess in these directories with e.g. "Options +Indexes"!)

Does anyone of you have an idea how to implement this in the apache2.conf?

Sincerely

Klaus


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx




[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux