What permissions for PHP scripts/directories?

Question

I am trying to help a friend moving a web-site from one web-hotel to another. The old place is already closed, I have only a flat tar file of what was in it.

The we

Answer 1

All the PHP files which are intended to be addressed directly via URLs can happily reside in the same directories as the static content (this is the usual practice).

It is good practice to have at least one directory outside those visible from the webserver to hold include files, but the PHP include path should still include '.'.

I'd recommend not putting lots of non-standard directories in your root filesystem - the default webroot varies by distribution, but I usually go with something like:

/var/www/htdocs - as the document root /usr/local/php - for include files

Obviously if you intend running your webserver chrrot, these should be mapped accordingly.

All files must be readable by the uid under which the webserver runs, however if you can restrict what is writeable by this uid as much as possible then you close off a potential attack vector.

I usually go with setting up my dirs as drwxrwSr-x owned by a member of a webdev group with the group ownership as the webdev team, (the httpd uid is not in the webdev group) and files are therefore -rw-rw-r-- So anyone in the webdex group can change files, and the httpd uid can only read files.

1) does the files-extension (.php) means something to the server:

Yes - go read the PHP installation guide.

C.