Password in file in /private ?

Hello,
I would like to know how ISPC website folder '/private' is private...
I am studying possibility to store mysql password in a file in ISPC website folder '/private' .
Can hacker access that file by any means ?
Many thanks

 

Only if they have access to your site's root folder via ssh or ftp, otherwise, they normally won't be able to access it.

 

Thanks a lot
I will not give ftp or ssh access !

 

It will be 700 because it is an executable !
Thanks for the reminder

 

You don't need any password to be executable.

 

sorry, bypass in my explaination.
My file is an exe (.sh) containing 'mysql -u -p' command

 

I have an additional question
I use dolibarr
dolibarr is reachable at https://mysite.tld/htdocs
I build a redirect : no flag, path = /htdocs/

In my web root, `ls -lrt` gives :
drwxr-xr-x 2 web30 client15 4096 Jun 30 14:26 error
drwxr-xr-x 2 web30 client15 4096 Jun 30 14:26 stats
drwxr-xr-x 8 web30 client15 4096 Jun 30 14:26 dev
drwxr-xr-x 23 web30 client15 4096 Jun 30 14:26 build
drwxr-xr-x 5 web30 client15 4096 Jun 30 14:26 doc
drwxr-xr-x 16 web30 client15 4096 Jun 30 14:26 scripts
drwxr-xr-x 74 web30 client15 4096 Jun 30 14:26 htdocs

My question is:
Considering redirection, is it possible to reach 'scripts' directory with curl, wget, browser, or other hacker tool ?

 

Try it yourself. If browser can reach it, then can curl and wget.
With the information you have provided it is not possible to know if your scripts directory is secure or not.

 

I don't think any browsers can reach that folder if it is in the sites's root.

 

@ahrasis I didn't succeed in reaching in my browser.
It try : https://mysite.tld/../scripts/script.sh
it goes to https://mysite.tld/scripts/script.sh which is https://mysite.tld/htdocs/scripts/script.sh considering my redirection !
But I wonder if there is a way to overpass...
As @Taleman suggest, I will protect all unused scripts by chmod 000...

 

As I said, I don't think any browsers can reach that folder if it is in the site's root.

Normally when one use php for example, one will code them to specify root folders to secure certain important files from being touched via browser. I am not sure what language your site is using but it should have a way of specifying that kind of folders.

 

I am using php. I will look at that security approach.
what are related commands ?

 

I know, but, with Dolibarr, I can't work like this... unfortunately !

 

I am trying in apache conf for that website

<Directory "/var/www/clients/clientx/weby/web/scripts">
Require all denied
</Directory>

Let see !