Proper permissions, ownership to allow php to parse contents of file but disallow access from web browser

Question

I have a file with sensitive data in it that I parse in php as follows:

define('__PATHSECRET__', dirname(__ROOT__) . '/secretstuff');
$credFilePath = __PATHSECRET__ . '/credentials.ini'; 
$credArray = parse_ini_file($credFilePath);

How should I set the permissions on the directory and file so that I can parse the file using the code above, but prevent the contents of that file from being displayed in the web browser?

• linux server
• php runs as 'root'
• apache runs as 'apache'
• The only file in the secretstuff directory is credentials.ini
• I do not have access to modifying apache or php settings

I can't seem to get the right combination of ownership and permissions. I either end up with 'permission denied' on the parse_ini_file command or I'm able to browse the contents of the credentials.ini file.

Answer 1

You don't need to put the ini file under your webroot at all--it can be anywhere on the system. As for leaving it under the webroot but blocking its display, you can do this inside your Apache configuration or with a .htaccess file, and leave the UNIX file permissions alone:

<Directory "/var/www/secretstuff">
  Order allow,deny
  Deny from all
</Directory>

Answer 2

If you are not limited to .ini extension, you can change it to .php and comment out the first line as both ini-comment and PHP multiline comment and the last line as ini-comment and closing PHP multiline comment:

; <?php /*
[section1]
parameter = value

[section2]
parameter.foo = bar

; */

It will allow you to use parse_ini_file() and show only ;, if you request this file with browser.