How to read files out of the apache folder using PHP

Question

I've been doing that for a long time, I mean, I can read and write files using PHP without any problem, but now I need to do something different, I need to access files out of the apache's www folder, for example:

I usually use the path /var/www/ when I'm using apache on Linux, but if I need to access the files in the folder /etc/anyfolder/anyfile.conf, how can I do that?

I've read some articles saying to give permission to the user that PHP uses to access the scripts, but I don't know about that, is it secure?

Answer 1

First look at chown of file if apache.

Secondly check for permission if readable/writeable.

Third you need look at your open_basedir parameter in php.ini and apache.

Answer 2

If you want to access any file via PHP then the user or group PHP runs under must have permissions to access that file. That being said, if you only need to read the file then you could clone the file and access the copy. If the file in question rarely changes then you could do this manually, otherwise you could do it via a shell script and cron which copies the file every so often (however often you need). That way you're not opening up permissions on the actual file. If you need to write to that file then I suppose you could do a similar approach (access a copy of the file via PHP then run a script that will copy that to the original file in your /etc folder but if you do this you should also validate whatever user input is being sent BEFORE writing to the original file to ensure nothing malicious is getting pushed.

The main thing you want to worry about is making your PHP files secure to protect against anyone running the scripts with malicious intent (which you should be doing with all PHP files regardless of their function). That means validating any user input and ensuring that if someone was to access any PHP files (or anything else on your server running under the same user/group as PHP) your sensitive system files would be protected. Also only provide the minimal permissions needed to do whatever you're doing (i.e. no need to give write or executable permissions if all you want to do is read the file, and no need to give directory level access if you only want to allow access to specific files in that directory).

One last thing is to look at why you need to give PHP access to these files in the first place and see if there's an alternative solution. If you're allowing access to /etc files then I assume they're config files for some application or another. Considering that updating a file like that would result in a change in the application's behavior for all other users is that really what you're going for?