How secure are *.inc files?

spstieng

How secure is .inc files?
How how does one go around protecting .inc files from being viewed
by outsiders?

I do not store my *.inc files in the root folder, I always store them
in a different folder. What chmod can be used on include folders but
still alows the system to read/write files??
How can files be protected from download withour proper security?

Here are some quotes from the .inc files? thread.

Philipolson :: 21.06.2003
Using .php as an extension is okay but certainly not ideal because
most likely you don't want the code to parse at all when called by itself.
Ideally you'd use an extension that won't parse at all and better yet
these files will be outside the document root but in the real world people
put includes in the document root. An example for disallowing direct
access to .inc files through Apache via .htaccess or httpd.conf is:

code:

<Files "*.inc">
Order allow,deny
Deny from all
</Files>

Ereptur :: 21.06.2003
Q -> If I CHMOD them to 600, can my pages still access and include them?
A -> Actually, no. Your webserver always needs to have read access to your
files and hence, someone browsing your site still has read access to your files.

Contradicts

HalfaBee :: 21.06.2003
Even if they can be read from the web I would still cmmod the files to 600.
If you are on a shared server it stops other users looking at the files.
All your scripts can still access them.

ereptur

Do a search on here. This exact issue was addressed not more than 4 days ago.

spstieng

If you bothered reading my thread, you would see that i was actually referencing the thread started 4 days (or so) ago.

It did not have a concluding (clear) answer to what is best "practice". It also has some contradicting comments.

So I "summarized" the important issues, and was hoping that someone could provide me with some more specific (hard facts) answers.

ereptur

It all depends on what your hosting situation is like. Not all hosts will allow you to use .htaccess files to keep people from your include directories. Likewise, many will not allow you to edit your VirtualHost settings to keep people out that way.

The best "generic" way of keeping your include files secure would have to be to just throw a .php extension on the end of them.

For clarity, many people choose .inc.php so they can easily tell which ones are includes and which ones aren't.

cgraz

my rule of thumb: don't story anything in a .inc file that you wouldn't want people viewing in plain txt.

Instead, use .php or .inc.php as ereptur suggested

Cgraz

nozom

I always use _ssi.php as my includes as i'm fussy with having 2 dots in the filename.

e.g. functions_ssi.php is my standard functions include (to state the obvious).

I used to have them with .inc until i realised my server was treating them as text files and promptly displaying the contents to all who addressed them directly.

anyway, my two penith worth.

nozom

kk5st

There are three ways to secure your .inc files:

Rename them to .php. But this confuses the advantage of naming conventions. I eschew this method.
Place .inc files outside the document tree. I do this with any file that a user should not have direct access to. eg.
/usr/lib/www/ <---doc root
/usr/lib/includes/ <---.inc home
/usr/lib/images/ <---gif's and png's etc
Add this little director to httpd.conf;
<Files ~ ".inc">
Order allow.deny
Deny from all
</Files>
I consider this basic. After all, you're never going to serve these up to the user, are you?

cheers,

gary

Weedpacket

Originally posted by kk5st
There are three ways to secure your .inc files:

Rename them to .php. But this confuses the advantage of naming conventions. I eschew this method.
[/B]

You missed the (mentioned several times) convention of giving them a .inc.php extension; which (a) identifies them as "include" files, (b) as a PHP include files, and (c), stops them being output as plain text on any server configured to process .php files as PHP.

kk5st

You missed the (mentioned several times) convention of giving them a .inc.php extension; which (a) identifies them as "include" files, (b) as a PHP include files, and (c), stops them being output as plain text on any server configured to process .php files as PHP.

No, I didn't miss it. I just didn't think it was a particularly important point. That's still a long way around the block to reach a result much more elegantly found by either or both of the other suggestions. It is a valid but ugly hack.

cheers,

gary

spstieng

Just what I was looking for!

I'll probably go for the .inc.php method and at the same time deny reading *.inc files in my .htaccess file.

I think that should be safe enough.
Also, if I use *.inc.php, I can in the first line in my inc file write: <?php die() ?> Then the script should die before doing anything!
Offcourse I will only do that on files that do not have any executable PHP functions :rolleyes:

Thanks for the help!!!

sdjensen

Could someone please tell me why the following isn't enough for protection the inc files?

<Files "*.inc">
Order allow,deny
Deny from all
</Files>