I'm trying to better secure my PHP application.
Goal: Cut off directory listing access for php files, but still execute them via browser by a user.
I currently have the var/www/html/ directory and it's sub-directories owned by www-data, I am a member of the www-data group as is www-data, the owner has read/write/execute access. My program files are inside sub-directories and set to 644 - so you can't see their contents, but the directory still lists out the contents in a browser. When I cut off the public ability to see the directory listing, I can't execute them anymore.... I know I'm on the right trail here, but I'm obviously screwing something up. I did play around with '.' prefixes to hide files, but that seems a bit low tech and non-reliable. Do I need to shuffle the groups/users around? I was just exploring a live site installed with a CMS and it seems it has this kind of ability and a similar setup... but it works.
I came across this answer, but is this really a secure option?
