Posted by William Gill on 04/12/06 04:32

The odds of one of the scenarios mentioned AND someone trying to
compromise the options at the same time, seem pretty low. Couple that
with the fact that the config files aren't holding anything too risky,
and it sounds like keeping the config directory in web space outweighs
editing every file that reads them (now and with every update).

Thanks,
Bill


Gordon Burditt wrote:
>> This is a PHP question that came up while working with SquirrelMail.
>> I read an installation procedure that suggested moving several
>> directories out of web space. Two of them make sense, but the third
>> directory, houses configuration options in php files. If the web server
>> is properly optioned to serve .php files (by executing php and serving
>> the result), is there any reason to place this write protected directory
>> outside of web space?
>
>> There is no way for someone to see anything
>> inside "<?php" and "?>" right?
>
> True if PHP is correctly configured and working, but it can happen if:
>
> (1) You lose the Apache directives that cause it to treat .php files
> as PHP (say, during an upgrade of Apache).
> (2) The PHP extension shared library gets deleted after a messy power
> brownout crash and subsequent fsck, and Apache can't load PHP.
> or
> (3) Briefly during an upgrade of PHP.
>
> You really ought to shut down Apache during upgrades of Apache or PHP
> but sometimes admins forget.
>
> "The files are secure if PHP is working" is less secure than "The
> files are secure if PHP is working (inside PHP section) and the
> files are secure if PHP is not working (outside document tree)".
>
> Gordon L. Burditt

[Back to original message]