Results 1 to 4 of 4
  1. #1
    Join Date
    Feb 2006
    Kepler 62f

    Prevent htaccess overrides, PHP on cPanel

    I have folders that users will be FTP'ing to.
    By default, cPanel allows PHP. That's not safe, not what I want.

    The domain root will be unavailable to them.
    Using htaccess, I want to
    - disable PHP extensions via htaccess,
    - prevent htaccess overrides --- so somebody can't just override it and re-enable the PHP extensions

    I'm not seeing what to do here.
    My own trials were wrong, and some things I found via Google were wrong.
    I kept getting 500 errors.

    This was so much easier on Windows.



  2. #2
    Join Date
    Feb 2005
    Does it have to be done in .htaccess or can you edit the config files (httpd.conf et al)? This is much better done in the config files (in a Directory or DirectoryMatch container). Other than having root change ownership / permissions on .htaccess IDK how you'd protect it against modification.

    Then it depends how you run PHP: "php_admin_flag engine off" works for DSO but for suPHP I think you need a different php.ini.

    IIRC cPanel used to have a stupid default allow-cgi-everywhere setup - if that's still the case you'll also need "Options -ExecCGI".
    Last edited by foobic; 10-04-2013 at 02:22 AM.

    "Some problems are so complex that you have to be highly intelligent and well informed just to be undecided about them." - Laurence J. Peter

  3. #3
    Join Date
    Mar 2005
    Is there a need to allow the FTP access to the folder that is inside the docroot?

    I would have thought that choosing the appropriate permissions and directory location is a better option than potentially allowing something that is not wanted to be available once uploaded.
    CPanel Shared and Reseller Hosting, OpenVZ VPS Hosting. West Coast (LA) Servers and Nodes
    Running Linux since 1.0.8 Kernel!
    Providing Internet Services since 1995 and Hosting Since 2004

  4. #4
    Join Date
    Feb 2006
    Kepler 62f
    The entire domain (subdomain actually) can be disabled, if needed.

    There's going to be dozens of users, and I want to prevent any common security risks -- PHP, ini files, htaccess, etc. I trust them all, but I'd rather be safe than sorry. They will all need FTP access. It's for large files to be attached to a forum manually.

    It's suPHP.

    htaccess was just am idea. I'm open to others.

    Because users will be added as needed, frequency unknown but assumed several monthly, I want this to be as easy as possible. htaccess was easy. If that means disabling it on the whole domain, then so be it.
    || Need a good host?
    || See my Suggested Hosts List || Editorial: EIG/Site5/Arvixe/Hostgator Alternatives

Similar Threads

  1. how to prevent user from using AddHandler in .htaccess
    By ezak in forum Hosting Security and Technology
    Replies: 3
    Last Post: 09-26-2010, 11:30 AM
  2. prevent direct file download but allow php download via htaccess
    By yohanesw in forum Programming Discussion
    Replies: 3
    Last Post: 01-18-2009, 03:15 PM
  3. prevent .htaccess override of upload_max_filesize only?
    By zooserve in forum Hosting Security and Technology
    Replies: 4
    Last Post: 07-26-2008, 04:18 PM
  4. using .htaccess with Godaddy to prevent hotlinking
    By jackburton2006 in forum Hosting Security and Technology
    Replies: 0
    Last Post: 02-03-2006, 07:23 PM
  5. phpsuexec / php.ini overrides all security settings?
    By papi in forum Hosting Security and Technology
    Replies: 5
    Last Post: 12-03-2004, 03:08 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts