On 24/09/2005 19:41, Shlomi Fish wrote:
2. The passwords of the MySQL databases are currently stored in world-readable
files. Thus, anyone who has a shell access can sabotage the databases.
Perhaps we need to hide them in a better way. For PHP or Perl it is possible
to slurp a file containing the passwords into the variable.
You can't really do anything about this as long as you don't run a
separate instance of apache for each website under a different user, or
run PHP under (fast)CGI with SUID directive.
The apache user must be able to read the files and any user can probably
run a script under the apache user and read any file it can read.
Assuming there's no secret data in these databases, I would just make
sure there's a proper backup and that all people with shell access can
be trusted.
Sagi
