Why can I not access the private/ directory using PHP under Apache?


There are three main reasons for this and it's due to the way both PHP and the directory are configured:



  • PHP is built into and run under the server, and as such will be given the apache user's permissions when it's running the script; and

  • As this is a generic set of permissions, the openbase_dir permission is set and limits PHP to accessing only the files within your own website, under httpdocs/; and

  • The private/ directory is set-up to give only you (using your FTP/SSH username and password) a private location which only you can access.


PHP under Apache


First, the majority of programs/sites run on our servers are in PHP, and the most efficient way to run PHP (at the moment) is to embed it within the server itself so that each time you make a request the whole PHP program doesn't have to start and shutdown. As it's already running, it just reads the script, runs it and then goes back to sleep.


Because it's run within the server program, it can only be given the permissions of the Apache server (specially the user apache and group apache). so that the PHP program can access all the sites and run all the code required.


To prevent other people from accessing your (and yours accessing other's, intentionally other otherwise) code, our servers, through Plesk, restrict this access via the openbase_dir setting, telling PHP to deny access to anything that's no under your httpdocs/ directory.


The settings, if changed (and pretty much only the openbase_dir setting can be changed here) would allow you to access the directory, ignoring issues with permissions explained below. But for the reason of permissions, it'll never work.


Permissions


The issues with the private/ directory becomes it's permissions. If you take a look, you'll see that the directory has the following value:


drwx------

The first letter (in Linux) means that it's a directory (a file is -, while other special files have different first letters). The important bit is in the remaining nine, each split into three sets of three values: uuugggwww. The first three are for the user the name/directory belongs do and sets what they can do with it. In this case rwx means that you can read it, write to it and execute it (for a directory that means you can traverse it, moving through and around the directory).


The second three are for the group which the file/directory is associated with. You can belong to many groups, while a group allows a level of shared access to a file or directory, etc. As you belong to a generic group for all hosting accounts (psacln, your directory has --- set (meaning no read, no write and no execute to everyone in the group, and as such, no access to any other hosting account execpt the owner of the domain as user's permissions override those of the groups).


The final three are for the world (basically anyone who isn't the user of the file/directory, or doesn't have access to the group), and again are --- to deny access


As the PHP, under Apache, runs under the username apache, it'll never match the first three. It does however has access to the group psacln, so can use that, but, because any script can run under it, giving access to the group may allow any script run under Apache access to your directory. Finally, by enabling the world permissions, anything can access it (and therefore it would no longer be private)


It's this difference in usernames and the way the script runs that gives the current restrictions to the private/ directory. As it's difficult to access via the Apache, general access (through openbase_dir is just disabled as a blanket ban)


suEXEC


However, we do use suEXEC on our servers with the cgi-bin/. If a script is installed there and run through the cgi-bin/ path, it will be given the username and password of the domain's main FTP account. So, just as you would be able to access it via FTP, so you can with this script. And, because it's running under your username you will not be able to get access to other parts of the server like would be possible under the generic username like apache.


.htaccess


Another way to restrict access to a directory, essentially making it private from the access over the website is to tell Apache that no-one can access it.


Simply create a directory, put the files you want in and then create a .htaccess file with the following contents:

Order Allow,Deny

Deny from All

Allow from None

And Apache will no longer give the web access to the domains contents. You can still access them using PHP scripts, etc. but not directory over the web.

  • 105 Users Found This Useful
Was this answer helpful?

Related Articles

Where is the perl interpreter (or program) located?

If you are running a script via the command line (and you have SSH access enabled), or you are...

Why does my script fail to run in the cgi-bin?

There are a number of reasons as to why you cannot get a script to run in your cgi-bin. They...

Can I install programs such as phpBB and Mambo?

All our accounts provide access to a wide-range of languages and utilities Using these, you are...

How do I enable register_globals (PHP)?

Since version 4.2.0 of PHP, the register_globals setting has been disabled by default on all new...

What is my Web Root or Document Root?

Some scripts/programs may ask you for your web root (or document root) when performing the...