Thank you.
In general: I know there are much more better ways for this (but also
much more complex!), but the server runs _only_ in a very small
intranet. Therefore discussions about the design are not so helpful.
Sincerely
Klaus
Am 07.06.2020 um 22:10 schrieb Paul A:
On 2020-06-07 3:12 p.m., Klaus Neudecker wrote:
Hello,
I have my Apache main directory: /www (<Directory /www> /
DocumentRoot /www)
In this directory and its subdirectories *.php files get executed by
php.
In the subdirectory /www/publications (and recoursly in its
subdirectories) I allow people (relatively trustworthy!) on the
filesystem to drop publications, documentations e.g. which are
referenced by a database as path+filename to the files. php then
produces with this database information www-pages with html-links to
these files.
If people drop *.php files as documentation for the source code(!) in
/www/publications these *.php scripts get executed, too.
Dangerously(!) and no documentation for the source code.
Therefore I want that no *.php files get executed within
/www/publications . It should be stupidely delivered like a *.html file.
Maybe I've misunderstood your intentions, but.... In general, all
files in your /www should have permissions set to 644 and owned by
www-data (or another name for apache2.) Your true "executable" files,
libraries whatever should be excluded from DocumentRoot, maybe in
/usr/share/myapp or any other bin/sbin location located through your
envars either system wide or specifically for your setup in a .conf
file, typically in /etc/myapp. Anything less is probably going to
leave you wide open to mistakes and/or abuse, even by "relatively
trustworthy" users.
Even if you relax permissions, e.g. 666 for files in user accessible
directories, you should never make them executable (unless you enjoy
rebuilding your server every time a script-kiddie wants to have fun.)
Good luck -- P.
I already managed this by a .htaccess file with the entry "php_flag
engine off".
But the .htaccess file could be deleted or .htaccess files with
"php_flag engine on" could get put in another subdirectory. :-(
Therefore:
a) I want to put the "php_flag engine off" in the apache2.conf.
b) Add an "AllowOverride" in this apache2.conf that allowes ONLY no
switching OF THE "PHP_FLAG ENGINE OFF" in this directory or any
subdirectory. (But I have to be able to use a .htaccess in these
directories with e.g. "Options +Indexes"!)
Does anyone of you have an idea how to implement this in the
apache2.conf?
Sincerely
Klaus
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
