Re: [PHP] including files outside of document root

On Wed, January 23, 2008 1:50 pm, Roberto Mansfield wrote:
Jason Pruim wrote:

Been doing some reading on security and have decided that I should
be
storing my include files outside of the document root... Which I
understand how to do it, but what I'm wondering, is say I write the
Next Killer App (tm). How would I port that code easily off of my
server and put it into a downloadable file for the millions of
people
who will download and run the Next Killer App (tm)?

I tend to keep the directories in the document root, but I deny access
via an .htaccess file. This keeps the code in a simple directory
structure. Anyone else doing that?

I used to do that.

Then I had to move the site one day.

Simple enough...

tar -cvf moving.tar httpdocs
gzip moving.tar

Copy the file over, and untar it:

tar -xzvf moving.tar.gz

Should be all good to go, right?

Wrong!

tar didn't snag all the .htaccess files.

For a brief moment in time my source code was exposed.

And the admin had no password protection.

And the images being generated by PHP|GD didn't work.

And...

I found and fixed it easily enough, but it would have gone undetected
for a long time if I hadn't had the other issues.

So I don't do that anymore, and I put the .inc files outside the web
tree.

ymmv

--
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some indie artist.
http://cdbaby.com/from/lynch
Yeah, I get a buck. So?
.

Relevant Pages

  • Re: include_path related issue
    ... The actual path of the root dir of my account with hosting provider ... I can specify additional subdomains in the control panel of my account. ... The .htaccess file in httpdocs is similar to the one in my master domain. ... PHP recognizes the include_path setting properly, ...
    (comp.lang.php)
  • Re: World writable tarballs
    ... It's a big security hole deliberately caused by the kernel people (files ... in the tar ball have og+w, so it's not problem in roots umask or tar). ... untarring files as root. ...
    (Linux-Kernel)
  • Re: Converting ext3->XFS
    ... >>with odd permissions, tar it, untar it, and see what happens. ... > Ahh, i had tried this already, but i just did the untar as root and it works. ...
    (Debian-User)
  • Re: tar preserves setuid bit
    ... > the file to root. ... However owner information is extracted from the tar ... > extracted files is the root user. ... > the root user if the root user extracts the files from a malliciously ...
    (Bugtraq)
  • Re: taring a entire system to a file
    ... >files to tar rather than attempt to tar from root. ... difficult to avoid as time passes and archives are sent around. ... I clobbered a couple of root file systems in exactly this fashion myself. ... These are my opinions not Raytheon Company. ...
    (comp.os.linux.misc)