.inc security problem!

Anon

I just moved to a new host and finally being able to run my PHP files from the htdocs directory was nice, then I noticed I didn't have to upload in ASCII format or to CHMOD them to 755, (I was running them in cgi-bin before) I also noticed that you could just type in www.site.com/connect.inc and download it, slight problem that! So I can now either call it connect.php, or, as I am now doing, keep it in my cgi-bin folder where I can call it from, is there another way?

What should general PHP files be CHMODed to, and are there permission you can set .inc files to so that they can be used, and not simply viewed or downloaded by a user!

Thanks

[deleted]

Chmod is only for the local filesystem.
Your webserver needs to be able to read the files, so that means that if they are inside the documentroot, anybody using the webserver can read the files.

One way to solve the problem is to keep the files in a location where the webserver can still access the files, but from where the webserver refuses to serve the files. (the cgi-bin dir for example).
Another solution would be to make the webserver refuse to serve files with extention ".inc", but that's a workaround.

Anon

Okay, I guess I'll keep it in the cgi-bin, least I caught it before I released the page.

[deleted]

Well, in order to lookup the inc file, you'd first need to know it's name and location. If the webserver is setup correctly it will never show directory listings, and it will allways parse PHP code, so you can't find out what inc files are used anyway.

Anon

This is one reason inc and .asc files should never be used. Too often shared hosting providers don't have the right security setup for them.

If you use packages that use .inc maybe you should gently prod the maintainers to add .php or .php3 to the end.

salmon

Of course, if you're on a shared server and running PHP as nobody then anybody with an account on / shell access to that machine can still read the file.

The best way to go about things is to have your scripts run under your own username, and secure files with sensitive info such as database passwords outside of $DOCUMENT_ROOT, setting file permissions with chmod 600 (for files that only need to be read).

If your host doesn't provide a method for doing this, switch to one that knows what they're doing and is serious about security.

Anon

I wrote the file with inc on the end, just didn't know the problems with it beforehand having had this annoying host where everything HAD to be run in a cgi-bin on another site.

Anon

Well, it seems to work okay now, the host isn't that bad really, and its affordable (I'm a student so thats kinda important)

Thanks for the help all