Hockey wrote:In most shared hosting environments that I work in (I work in a lot probably upwards of of 50 different hosting companies a day - setting up software) are usually run under PHP not FTP. Although I have seen a few.
My suggestion would require running PHP as it's own user, so something like PHPSUEX...
I could agree with you, but not in this case (the OP) ... You have no prior knowledge about
target's hosting environment, while .htaccess would work on ALL setups. And still, there are "a few" hosting companies run under FTP ....
Hockey wrote:I'm missing something...If you had PHP run under a user which had ownership of the files and you set the GLOBAL permissions to 770 so nothing on the outside world could access your files but your PHP scripts could...how is that not giving you READ/WRITE protection???
I meant, that if you have Apache or PHP script exploit then the less files one can write to, the more secure you are. So, if my files inside web root are not owned by Apache/PHP user and they are 644 chmoded, then one won't be able even to deface my site (that is for "write protection").
I know that there are many and various techniques to secure a hosting environment, but I think that discussing them is a little bit out of the scope of this discussion. The question was - "Can I use CHMOD to protect from direct browsing?" - the simplest answer is: "No". That's it.
Using chmod would still require a PHP wrapper script, right? So, both (htaccess and chmod) approaches would need PHP wrappers, but you approach *insists* that there should be a separate PHP user, not the Apache user - so, your solution is more complicated and there are cases which it could not be applied to.
I do like these kind of conversations, so I would be glad to continue it
