On Wed, 28 Feb 2001, Gustavo Vieira Goncalves Coelho Rios wrote:
> Hi folks!
>
> I have a FreeBSD server configured as a http server, running apache.
> This installation includes mod_perl+EmbPerl, mod_php4 mod_cgi and
> mod_fastcgi. Some of my users will be using mysql for database. The
> problem is that this scenario requires sensitive information inside
> file. This means no problem when these users write their dymanic pages
> inside a compiled program. I can chmod a-rw and nobody will be able to
> take away user/password from a compiled program. The problem happens
> when write their php or embperl pages!
>
> the key user\password are kept inside this file, so anyone can uses an
> editor to retrieve the user mysql account. I resolve this problem
> running php on secure mode and chgrping the php file the same user as
> the http process and removing other flags file access (g-rwx). So nobody
> besides the owner of the file (or the http process) will be able to read
> it.
>
> since php have some security facilities, like: if the file owner id !=
> the file the script is trying to open => fails.
> My problem is with perl: how to solve such a problem in a perl
> environment?
> Does mod perl allows any kind of security, to prevent ones writing
> script to read others files?
>
>
> PS: All cgi runs through suexec, so even cgi are not able to run the
> script, ok?
At this moment anybody who has an access to mod_perl server can read any
data which is accessible by the same server. suexec is not an option
because of process persistance.
I understand that you want to store the SQL engine authentication info,
and users not to know each other's access credentials. The only solution
at this point is to either trust your users not to abuse each other, or
run a separate server for each one :(
_____________________________________________________________________
Stas Bekman JAm_pH -- Just Another mod_perl Hacker
http://stason.org/ mod_perl Guide http://perl.apache.org/guide
mailto:[EMAIL PROTECTED] http://apachetoday.com http://logilune.com/
http://singlesheaven.com http://perl.apache.org http://perlmonth.com/
