Disabeling PHP in a subdirectory via the apache2.conf?

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Disabeling PHP in a subdirectory via the apache2.conf?

Klaus Neudecker
Hello,

I have my Apache main directory: /www   (<Directory /www> /  
DocumentRoot /www)

In this directory and its subdirectories *.php files get executed by php.

In the subdirectory /www/publications (and recoursly in its
subdirectories) I allow people (relatively trustworthy!) on the
filesystem to drop publications, documentations e.g. which are
referenced by a database as path+filename to the files. php then
produces with this database information www-pages with html-links to
these files.

If people drop *.php files as documentation for the source code(!) in
/www/publications these *.php scripts get executed, too. Dangerously(!)
and no documentation for the source code.

Therefore I want that no *.php files get executed within
/www/publications . It should be stupidely delivered like a *.html file.

I already managed this by a .htaccess file with the entry "php_flag
engine off".

But the .htaccess file could be deleted or .htaccess files with
"php_flag engine on" could get put in another subdirectory.  :-(

Therefore:

a) I want to put the "php_flag engine off" in the apache2.conf.

b) Add an "AllowOverride" in this apache2.conf that allowes ONLY no
switching OF THE "PHP_FLAG ENGINE OFF" in this directory or any
subdirectory. (But I have to be able to use a .htaccess in these
directories with e.g. "Options +Indexes"!)

Does anyone of you have an idea how to implement this in the apache2.conf?

Sincerely

Klaus


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Disabeling PHP in a subdirectory via the apache2.conf?

Stormy-7
On 2020-06-07 3:12 p.m., Klaus Neudecker wrote:

> Hello,
>
> I have my Apache main directory: /www   (<Directory /www> / DocumentRoot
> /www)
>
> In this directory and its subdirectories *.php files get executed by php.
>
> In the subdirectory /www/publications (and recoursly in its
> subdirectories) I allow people (relatively trustworthy!) on the
> filesystem to drop publications, documentations e.g. which are
> referenced by a database as path+filename to the files. php then
> produces with this database information www-pages with html-links to
> these files.
>
> If people drop *.php files as documentation for the source code(!) in
> /www/publications these *.php scripts get executed, too. Dangerously(!)
> and no documentation for the source code.
>
> Therefore I want that no *.php files get executed within
> /www/publications . It should be stupidely delivered like a *.html file.

Maybe I've misunderstood your intentions, but.... In general, all files
in your /www should have permissions set to 644 and owned by www-data
(or another name for apache2.) Your true "executable" files, libraries
whatever should be excluded from DocumentRoot, maybe in /usr/share/myapp
or any other bin/sbin location located through your envars either system
wide or specifically for your setup in a .conf file, typically in
/etc/myapp. Anything less is probably going to leave you wide open to
mistakes and/or abuse, even by "relatively trustworthy" users.

Even if you relax permissions, e.g. 666 for files in user accessible
directories, you should never make them executable (unless you enjoy
rebuilding your server every time a script-kiddie wants to have fun.)

Good luck -- P.

>
> I already managed this by a .htaccess file with the entry "php_flag
> engine off".
>
> But the .htaccess file could be deleted or .htaccess files with
> "php_flag engine on" could get put in another subdirectory.  :-(
>
> Therefore:
>
> a) I want to put the "php_flag engine off" in the apache2.conf.
>
> b) Add an "AllowOverride" in this apache2.conf that allowes ONLY no
> switching OF THE "PHP_FLAG ENGINE OFF" in this directory or any
> subdirectory. (But I have to be able to use a .htaccess in these
> directories with e.g. "Options +Indexes"!)
>
> Does anyone of you have an idea how to implement this in the apache2.conf?
>
> Sincerely
>
> Klaus
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Disabeling PHP in a subdirectory via the apache2.conf?

Klaus Neudecker
Thank you.

In general: I know there are much more better ways for this (but also
much more complex!), but the server runs _only_ in a very small
intranet. Therefore discussions about the design are not so helpful.

Sincerely

Klaus

Am 07.06.2020 um 22:10 schrieb Paul A:

> On 2020-06-07 3:12 p.m., Klaus Neudecker wrote:
>> Hello,
>>
>> I have my Apache main directory: /www   (<Directory /www> /
>> DocumentRoot /www)
>>
>> In this directory and its subdirectories *.php files get executed by
>> php.
>>
>> In the subdirectory /www/publications (and recoursly in its
>> subdirectories) I allow people (relatively trustworthy!) on the
>> filesystem to drop publications, documentations e.g. which are
>> referenced by a database as path+filename to the files. php then
>> produces with this database information www-pages with html-links to
>> these files.
>>
>> If people drop *.php files as documentation for the source code(!) in
>> /www/publications these *.php scripts get executed, too.
>> Dangerously(!) and no documentation for the source code.
>>
>> Therefore I want that no *.php files get executed within
>> /www/publications . It should be stupidely delivered like a *.html file.
>
> Maybe I've misunderstood your intentions, but.... In general, all
> files in your /www should have permissions set to 644 and owned by
> www-data (or another name for apache2.) Your true "executable" files,
> libraries whatever should be excluded from DocumentRoot, maybe in
> /usr/share/myapp or any other bin/sbin location located through your
> envars either system wide or specifically for your setup in a .conf
> file, typically in /etc/myapp. Anything less is probably going to
> leave you wide open to mistakes and/or abuse, even by "relatively
> trustworthy" users.
>
> Even if you relax permissions, e.g. 666 for files in user accessible
> directories, you should never make them executable (unless you enjoy
> rebuilding your server every time a script-kiddie wants to have fun.)
>
> Good luck -- P.
>
>>
>> I already managed this by a .htaccess file with the entry "php_flag
>> engine off".
>>
>> But the .htaccess file could be deleted or .htaccess files with
>> "php_flag engine on" could get put in another subdirectory.  :-(
>>
>> Therefore:
>>
>> a) I want to put the "php_flag engine off" in the apache2.conf.
>>
>> b) Add an "AllowOverride" in this apache2.conf that allowes ONLY no
>> switching OF THE "PHP_FLAG ENGINE OFF" in this directory or any
>> subdirectory. (But I have to be able to use a .htaccess in these
>> directories with e.g. "Options +Indexes"!)
>>
>> Does anyone of you have an idea how to implement this in the
>> apache2.conf?
>>
>> Sincerely
>>
>> Klaus
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [hidden email]
>> For additional commands, e-mail: [hidden email]
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Disabeling PHP in a subdirectory via the apache2.conf?

Jose R R
In reply to this post by Klaus Neudecker
Niltze [Hello], Klaus-

On Sun, Jun 7, 2020 at 12:12 PM Klaus Neudecker
<[hidden email]> wrote:

>
> Hello,
>
> I have my Apache main directory: /www   (<Directory /www> /
> DocumentRoot /www)
>
> In this directory and its subdirectories *.php files get executed by php.
>
> In the subdirectory /www/publications (and recoursly in its
> subdirectories) I allow people (relatively trustworthy!) on the
> filesystem to drop publications, documentations e.g. which are
> referenced by a database as path+filename to the files. php then
> produces with this database information www-pages with html-links to
> these files.
>
> If people drop *.php files as documentation for the source code(!) in
> /www/publications these *.php scripts get executed, too. Dangerously(!)
> and no documentation for the source code.
>
> Therefore I want that no *.php files get executed within
> /www/publications . It should be stupidely delivered like a *.html file.
>
> I already managed this by a .htaccess file with the entry "php_flag
> engine off".
>
> But the .htaccess file could be deleted or .htaccess files with
> "php_flag engine on" could get put in another subdirectory.  :-(
>
> Therefore:
>
> a) I want to put the "php_flag engine off" in the apache2.conf.
You may want to adapt this example to your main httpd.conf
< https://lxadm.com/Apache:_disabling_PHP_execution_in_selected_directories >

>
> b) Add an "AllowOverride" in this apache2.conf that allowes ONLY no
> switching OF THE "PHP_FLAG ENGINE OFF" in this directory or any
> subdirectory. (But I have to be able to use a .htaccess in these
> directories with e.g. "Options +Indexes"!)
>
> Does anyone of you have an idea how to implement this in the apache2.conf?
>
> Sincerely
>
> Klaus
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
Best Professional Regards.

--
Jose R R
http://metztli.it
---------------------------------------------------------------------------------------------
Download Metztli Reiser4: Debian Buster w/ Linux 5.5.19 AMD64
---------------------------------------------------------------------------------------------
feats ZSTD compression https://sf.net/projects/metztli-reiser4/
-------------------------------------------------------------------------------------------
Official current Reiser4 resources: https://reiser4.wiki.kernel.org/

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Disabeling PHP in a subdirectory via the apache2.conf?

Klaus Neudecker
Thank very much Jose!

The disabling of the php-scripts in the .conf works! Fine, half of the problem is solved!

BUT, I am not quite sure if people are not able to reenable it by a .htaccess file.
I just made a try of this: I made an entry in the .conf:

<Directory "d:/...">
    php_admin_value engine Off
</Directory>

=> ok workes fine, the php is not processed, it comes as source code

Then I put a .htaccess file into d:/... into which I wrote:
php_admin_value engine On

=> apache delivered me a 500 error.

Therefore, does anyone know:
a) has the apache server already a mechanism to block the switching on of the php engine in .htaccess files GENERALLY? (switching off works!)
b) Better - in order to be 200% sure - is there a possibility like "AllowOverride" e.g. to disable the switching on/off of the php engine in .htaccess files?

Sincerely
Klaus
Jose R R < [hidden email]> hat am 8. Juni 2020 um 00:14 geschrieben:


Niltze [Hello], Klaus-

On Sun, Jun 7, 2020 at 12:12 PM Klaus Neudecker
< [hidden email]> wrote:
>
Hello,
I have my Apache main directory: /www (<Directory /www> /
DocumentRoot /www)
In this directory and its subdirectories *.php files get executed by php.
In the subdirectory /www/publications (and recoursly in its
subdirectories) I allow people (relatively trustworthy!) on the
filesystem to drop publications, documentations e.g. which are
referenced by a database as path+filename to the files. php then
produces with this database information www-pages with html-links to
these files.
If people drop *.php files as documentation for the source code(!) in
/www/publications these *.php scripts get executed, too. Dangerously(!)
and no documentation for the source code.
Therefore I want that no *.php files get executed within
/www/publications . It should be stupidely delivered like a *.html file.
I already managed this by a .htaccess file with the entry "php_flag
engine off".
But the .htaccess file could be deleted or .htaccess files with
"php_flag engine on" could get put in another subdirectory. :-(
Therefore:
a) I want to put the "php_flag engine off" in the apache2.conf.
You may want to adapt this example to your main httpd.conf

>
b) Add an "AllowOverride" in this apache2.conf that allowes ONLY no
switching OF THE "PHP_FLAG ENGINE OFF" in this directory or any
subdirectory. (But I have to be able to use a .htaccess in these
directories with e.g. "Options +Indexes"!)
Does anyone of you have an idea how to implement this in the apache2.conf?
Sincerely
Klaus
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]
Best Professional Regards.

--
Jose R R
---------------------------------------------------------------------------------------------
Download Metztli Reiser4: Debian Buster w/ Linux 5.5.19 AMD64
---------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------
Official current Reiser4 resources: https://reiser4.wiki.kernel.org/

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]
--------------------------------------------------------------------- To unsubscribe, e-mail: [hidden email] For additional commands, e-mail: [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Disabeling PHP in a subdirectory via the apache2.conf?

Jose R R
On Tue, Jun 9, 2020 at 2:25 AM Klaus Neudecker <[hidden email]> wrote:

>
> Thank very much Jose!
>
> The disabling of the php-scripts in the .conf works! Fine, half of the problem is solved!
>
> BUT, I am not quite sure if people are not able to reenable it by a .htaccess file.
> I just made a try of this: I made an entry in the .conf:
>
> <Directory "d:/...">
>     php_admin_value engine Off
> </Directory>
>
> => ok workes fine, the php is not processed, it comes as source code
>
> Then I put a .htaccess file into d:/... into which I wrote:
> php_admin_value engine On
>
> => apache delivered me a 500 error.
>
> Therefore, does anyone know:
> a) has the apache server already a mechanism to block the switching on of the php engine in .htaccess files GENERALLY? (switching off works!)
> b) Better - in order to be 200% sure - is there a possibility like "AllowOverride" e.g. to disable the switching on/off of the php engine in .htaccess files?
You should read up on HTTPD documentation, when in doubt, i.e.,
"When [AllowOverride] directive is set to None and AllowOverrideList
is set to None, .htaccess files are completely ignored. In this case,
the server will not even attempt to read .htaccess files in the
filesystem."
< https://httpd.apache.org/docs/2.4/mod/core.html#allowoverride >

>
> Sincerely
> Klaus
>
> Jose R R < [hidden email]> hat am 8. Juni 2020 um 00:14 geschrieben:
>
>
> Niltze [Hello], Klaus-
>
> On Sun, Jun 7, 2020 at 12:12 PM Klaus Neudecker
> < [hidden email]> wrote:
> >
>
> Hello,
>
> I have my Apache main directory: /www (<Directory /www> /
> DocumentRoot /www)
>
> In this directory and its subdirectories *.php files get executed by php.
>
> In the subdirectory /www/publications (and recoursly in its
> subdirectories) I allow people (relatively trustworthy!) on the
> filesystem to drop publications, documentations e.g. which are
> referenced by a database as path+filename to the files. php then
> produces with this database information www-pages with html-links to
> these files.
>
> If people drop *.php files as documentation for the source code(!) in
> /www/publications these *.php scripts get executed, too. Dangerously(!)
> and no documentation for the source code.
>
> Therefore I want that no *.php files get executed within
> /www/publications . It should be stupidely delivered like a *.html file.
>
> I already managed this by a .htaccess file with the entry "php_flag
> engine off".
>
> But the .htaccess file could be deleted or .htaccess files with
> "php_flag engine on" could get put in another subdirectory. :-(
>
> Therefore:
>
> a) I want to put the "php_flag engine off" in the apache2.conf.
>
> You may want to adapt this example to your main httpd.conf
> < https://lxadm.com/Apache:_disabling_PHP_execution_in_selected_directories >
>
> >
>
> b) Add an "AllowOverride" in this apache2.conf that allowes ONLY no
> switching OF THE "PHP_FLAG ENGINE OFF" in this directory or any
> subdirectory. (But I have to be able to use a .htaccess in these
> directories with e.g. "Options +Indexes"!)
>
> Does anyone of you have an idea how to implement this in the apache2.conf?
>
> Sincerely
>
> Klaus
>
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]

Good luck!

--
Jose R R
http://metztli.it
---------------------------------------------------------------------------------------------
Download Metztli Reiser4: Debian Buster w/ Linux 5.5.19 AMD64
---------------------------------------------------------------------------------------------
feats ZSTD compression https://sf.net/projects/metztli-reiser4/
-------------------------------------------------------------------------------------------
Official current Reiser4 resources: https://reiser4.wiki.kernel.org/

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]