Internal and External protection for php sources

2025-03-29

I have been trying to figure out how I can protect the contents of a file while still maintaining utility for web page generation. I would like to have account information (but never charge card numbers) and maybe MySql passwords in an include file. Help me look for holes in the following thinking. I'm asking here first but may ask elsewhere later.

There appears to be two, sometimes conflicting, requirements:
1. external security (users from the Internet)
2. internal security (other users on the same server)

The problem
For a file that I own to be browsable it must be chmod to xx4 (at a minimum) since apache/php runs as a different user ( as nobody) and otherwise browsed-php can not read the file. However, a permission of xx4 also gives other shell users on the same server (e.g. virtual hosting) read permission. Adding restrictions to .htaccess (e.g. password protection or allow, deny) can block browser access but has no effect on shell access by other users.

The Approach
1. chmod the directory to xx1 to prevent inadvertent indexing by browsers and viewing by shell users.
2. Use .htaccess to block apache/php access not originating on the home domain.
3. Deny access to other shell users by changing owner/group to nobody/me and by setting permissions to xx0.

The Discussion

External and internal security
Give the directory holding the file to be protected the permission of xx1 and not xx4/xx5.
xx1 seems to effectively block browser and shell views of the directory (in case your index.xxx or .htaccess does not work) but still allows apache/php access to specific files. Note that although this permission-set blocks viewing by shell access it does not prevent shell copying if the file name is know.

External security
Use .htaccess to limit browser access to php include files. The following seems to work.

<Limit>
order deny,allow
deny from all
allow from thisdomain
</Limit>

("thisdomain" could be an IP)

It seems to block direct access to the include file regardless of the extension (there was a discussion recently about which extension to use, .php, .txt, .inc, etc) and seems to block access regardless of the permissions (may be os-install specific). It still provides access to a php script running from the same domain. Good. There may be some issues about the ability to fake the client domain name (Domain spoofing?) but the host IP can be used and may circumvent the problem. Your thoughts?

Internal Security
Deny access to other users on the same server. Make the owner of the include file (the one to be protected) "nobody". Make the group the same as your user name. Set the permissions to 770 or any xx0. This gives all permissions to you and apache/php but denies world access (other shell users). Without root you will have to make these changes through a browsed php script. If it were not for this permission-limitation a shell user could run the script from his/her command line or include it into his own script, thus seeing the contents or output. Such a shell effort will run as him/herself. Under xx0 conditions these efforts will not have access. Your thoughts?

What have I overlooked. Is this good enough to hide MySql passwords.

Projo