views:

57

answers:

3

I am making an easy-to-setup, no-database PHP website which stores its data instead in text files.

The setup is a Linux/Apache/PHP server.

Up to now the information has been non-sensitive, so I store in: ../data/system.txt Theoretically someone could type (url)/data/system.txt in their browser and see the data file in plain text, which didn't matter up to now.

But now I want to store passwords so various groups can log in and see different information. These sites will be "low interest" and "low profile" sites and if someone is bored enough to hack the site and sees the information, it's not the end of the world, I just want to provide a modicum of technical hurdles so that the site can have individual and group access rights while retaining the ease of creating e.g. 50 of these sites without having to set up and maintain 50 databases.

My question is, what is the best way to protect these text files on Apache?

I can think of the following:

1) change the "../data" directory to some random directory name, e.g. "../data928374928374" as a kind of obfuscating measure

2) change the .txt file to .php and protect the text with PHP code like this:

<?php
echo 'access denied';
die;
/*
...store data here...
*/
?>

3) put this .htaccess file in the /data directory to protect files with .txt and other endings:

<FilesMatch "\.(sqlite|xml|txt|csv|php)$">
Deny from all
</FilesMatch>

Here are my thoughts on these:

1) I could imagine there are ways to find out names of hidden directories on servers like this, is that true?

2) It is awkward to have a text file named .php and have PHP code in them since I want non-tech people to be able to edit the text files and just drop them as-is in the data directory and have them work, without having to "edify them with technical code". Not to mention this messes up the syntax-coloring in most editors.

3) Will this .htaccess file work on ALL servers> e.g. if I just copy the website as is to any Apache server, am I guaranteed that the files will be protected, or there other settings which can turn off the effect of .htaccess files on Apache servers?

A: 

Store files containing anything sensitive outside of the htdocs tree?

Mark Baker
Yes, the goal is **one-step xcopy deployment**, I want non-tech people to be able to upload "all their files into a directory" and that's their data-based site without having to think about "SQL/connection-string-anything" or copying some data files back behind the htdocs root etc. Think of it like this: you want to create a "data-backed site" for 20 students in each of your 7 classes, so you are making 140 sites, it has to be **dead-easy to deploy and maintain but reasonably secure**, that's the goal.
Edward Tanguay
+3  A: 
  1. This would require bruteforce check but yeah.
  2. True, it complicates things for non-tech people. Plus i'd imagine you might not be do everything you want.
  3. .htaccess rules will work only for Apache server where the directory is allowed to use htaccess rules (and allows overriding of parameters, if that is required). Also note that on some configuration the file might not be called .htaccess but something else.

You could also probably use SQLite or something similar that does not actually require a database server.

Another idea is to have a structure like

/app
   /public_html
   /data

and have public_html contain your website that is exposed to outside world and /data be not accessible (only by your scripts).

In /app folder you can create a htaccess rule that will always redirect all requiests to punlic_html folder so it will not be visible to outside user (it's possible to do that behind the scenes). And if both folders are copies over including .htaccess file, this should be enough for one-step deployment

AlexejK
Point 3 is interesting that is what I assumed. But one could also assume that most (99%) of web service providers who offer a LAMP stack will have .htaccess settings so that the above solution would work, right? I assume that a Windows server supporting PHP would not support .htaccess so that would be the only practical exception, right?
Edward Tanguay
for Apache server it will work. Even Apache on Windows. For IIS it may be slightly harder
AlexejK
Thanks for the below-root-access tip, that would definitely work but it is more important in this scenario to have "no residue" so e.g. 20 students can upload directories, build their sites, then delete them at the end of the hour where "deleting a site's directory deletes all its data, config files, everything" and not have files with passwords lying around behind the root that users forget to delete, forget where they are, etc.
Edward Tanguay
Also check http://support.microsoft.com/kb/324064 For windows migration. It should be fairly simple to make similar fallback. You can have sites where instead of "app" folder you can use "student1" and then deleting that folder removes everything that's not needed at all. If needed you can also make a full backup of data.
AlexejK
A: 

If it's a PHP only read file, then it's pretty easy if you got a good host.

Most of the time, your web root isn't the server's one.

For example, on my host, the path to the web directory is /data/domain/www/ which is the path to http://www.domain.com/ in a browser.

But I can create a folder below that level, for example, /data/domain/secret_folder/ which can't be reached by a browser but can be read by PHP if it's on the same server thanks to fopen

Chouchenos