Lewis Thompson wrote:

On Tue, Feb 10, 2004 at 03:56:08PM +0000, Peter Risdon wrote:


Lewis Thompson wrote:


I am worried that because the script must be read/writeable by the
Apache user (www) that anybody that can write a PHP script on my machine
can read the auth script and read the passwords that would be contained
within -- those to my MySQL server.





All you can do really is store the passwords themselves in an include file that you put in the most secure place possible, preferably not in webspace. But I imagine you have this covered.



Yeah, but this is really security through obscurity, not something I'm
keen on ;)


That's kind of what we're talking about here, though. Keeping a file's contents inaccessible.



Is there any way I can have a script that is not readable by a user,
while still allowing that user to execute it?  Maybe through using a
wrapper of some sort?  I do not have UFS2 so I cannot use ACLs.




Not that I know of, but have you considered compiling apache with suexec? Assuming your other users have seperate logins, this might work. You can have apache execute scripts as the appropriate user, not www. That way, a 700 permission should prevent other users from reading your scripts.



I read some stuff about this. I got the impression it required using
PHP as a CGI, instead of mod_php. Am I wrong in thinking this?


Yes, you can use mod_php with suexec. Makes most sense with virtual hosts, because each host must run as a single user.

PWR.

_______________________________________________
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to