PHP include file from outside of webroot

Question

I'm using Apache and PHP. Webroot directory is /home/name/public_html

I want to include a file from /home/name/abc.php

include_one "/home/name/abc.php";

I got failed to open stream: Permission denied warning.

If i move the same file inside the webroot /home/name/public_html/abc.php

There is no error.

Apache User and Group has the permission to access the file /home/name/abc.php

I have another server with the similar configuration, it is working. Just want to know the possible reason.

I tried to run the PHP script directly in linux console, there is no permission issue. I guess the problem is in Apache configuration.

This is not a problem, it's a security feature. Why does the file need to be outside of the webroot directory? — random_user_name, Jul 21 '16 at 18:51
php can read a file anywhere in the filesystem that it has the rights to REACH and READ. even if the file itself has read permissions, you still need access to its containing directory. — Marc B, Jul 21 '16 at 18:51
@cale_b: because not everything should be inside the webroot in the first place. by definition, anything inside the webroot is available to the world. one single config error or server glitch and you cuold be serving up raw php code, including whatever back-end credentials are stored in that code. — Marc B, Jul 21 '16 at 18:52

score 0 · Answer 1 · answered Jul 21 '16 at 18:58

You should verify that php is really executed as the apache user. Depending on your configuration it might be possible that php is running under a different user, e.g. if your Apache is set up to use php-fpm.

If the server is a linux system, putting this

<?php
echo "<pre>";
var_dump(posix_getpwuid());

into a file and accessing via the web browser should show you the user informations.

score 0 · Accepted Answer · edited May 23 '17 at 12:16

0

I found the way to solve this issue from here. I have SELinux running on my Centos 7 Virtual Server.

I need to grant httpd permission to read from /home dir using:

sudo setsebool httpd_read_user_content=1

edited May 23 '17 at 12:16

Community

1
1

answered Jul 22 '16 at 20:13

Tester

798
2
12
32

Do i need to have to run this command from /home folder? – jayaprakash R Apr 27 '22 at 17:33

PHP include file from outside of webroot

2 Answers2