If you have a CGI script with 700 permissions, that script cannot be
accessed by the Apache server unless that server is running Apache SUID,
meaning that your own account runs the web server.
In most cases Apache is run by its own account.

In this case, if you will set the permissions for the file to 755, the file
can be viewed by other accounts from that server.
This is because 755 means read and execute permissions for the group and for
everyone.


Teddy,
Teddy's Center: http://teddy.fcc.ro/
Email: [EMAIL PROTECTED]

----- Original Message -----
From: "Matthew Baranowski" <[EMAIL PROTECTED]>
To: "Octavian Rasnita" <[EMAIL PROTECTED]>; "Larry Brown"
<[EMAIL PROTECTED]>; "MySQL List" <[EMAIL PROTECTED]>
Sent: Monday, January 06, 2003 8:10 PM
Subject: Re: Hiding the password


Hello Teddy:

Could you please be a bit more demonstrative? If I have a module in at Web
address on a Apache server with permissions 700, (Warren said he has his
scipt to 755, I think) how exactly do you believe a site visitor can access
the text of the script? Or how do you think another system user could access
the text of the script?

I am beginning to think that you operate in a strange, unsecured Web
environment. Please lay out a general set of steps by which someone could
gain access to the text of a Perl script on a Web server with 700 or 755
permissions.

Thanks,

Matt Baranowski


----- Original Message -----
From: "Octavian Rasnita" <[EMAIL PROTECTED]>
To: "Larry Brown" <[EMAIL PROTECTED]>; "MySQL List"
<[EMAIL PROTECTED]>
Sent: Sunday, January 05, 2003 10:33 PM
Subject: Re: Hiding the password


> No, we are not talking about the staff of the hosting company.
>
> The hosting company runs a single Apache server on a single account on
that
> server for all sites that are sitting on that computer.
> If the user that runs the web server has access to your files, this means
> that everyone has access.
>
>
> Teddy,
> Teddy's Center: http://teddy.fcc.ro/
> Email: [EMAIL PROTECTED]
>
> ----- Original Message -----
> From: "Larry Brown" <[EMAIL PROTECTED]>
> To: "MySQL List" <[EMAIL PROTECTED]>
> Sent: Saturday, January 04, 2003 9:50 PM
> Subject: RE: Hiding the password
>
>
> First, why are we conceding that "everyone can find out your id and
> password"?  Your hosting company has your site separated from other
> customers' sites right?  So we are just talking about the development team
> for your site being privy to this information.
>
> Second, if you are referring to the staff of the hosting company, you
can't
> avoid their ability to access data via your login scripts period.  As far
as
> I know they can view all of your communication with the MySQL database and
> can get that information.  If you want tight security hosting it yourself
is
> a must in my view.
>
> Larry S. Brown
> Dimension Networks, Inc.
> (727) 723-8388
>
> -----Original Message-----
> From: wcb [mailto:[EMAIL PROTECTED]]
> Sent: Saturday, January 04, 2003 1:51 PM
> To: Mark; MySQL
> Subject: Re: Hiding the password
>
> It isn't at all difficult to grasp.  Please carefully (and exercising a
> certain amount of patience) read my post and the previous post upon which
my
> post was based.  We are acknowledging that EVERYONE can find out your id
and
> password.  The question reformulated is:
>
> "Given that one's MySql environment may not be accessible in terms of
privs
> (which is the case for a lot of people, who are paying for hosting by a
> third party) and given that we CAN'T hide the id/password combination, is
> the standard arrangement that hosts use (which is to ensure that only
> localhost can access the database) adequate to prevent people from doing
> unwanted things in your database?  NOTE that I'm assuming that one has a
> script on localhost, and all users are from another domain, and also
> assuming that the script is properly set up to constrain the activities of
> users, does it even matter that people can determine the id/password
> combination??"
>
> Thanks for patient responses.
>
> Cheers!
>
> -warren
>
>
>
> >
> > > Perhaps gurus can comment on what I'm suggesting here - if the
database
> is
> > > set up so that only "localhost" can access it, then you can use a php
or
> > > PERL script to allow people from elsewhere to cruise in and make
queries
> > > as your script allows.
> >
> > Why is this so difficult to grasp? As I, and many others, have pointed
> out,
> > repeatedly, it does not matter how many layers you wrap around your
> > password-retrieval code, as soon as you make the end-result
> > accessible/readable by your web-CGI, you have done just that: made the
> > user/password accessible by your web-daemon -- hence, made it accessible
> to
> > everyone with access to your web-server.
> >
> > And no, adding some sort of access-control within your CGI is equally
> > useless: as a user being hosted on your web-server I would not bother to
> run
> > your CGI, but simply copy it for ocular inspection. :)
> >
> > > Certainly I'd appreciate comments on this by people in the know,
because
> > > it is an issue that so many people face...
> >
> > Perhaps those people should do what I do: create special MySQL users
> > (@localhost), unprivileged to the max, with only very narrow SELECT
> > privileges to the databases they are supposed to read data from, and use
> > those users to access the MySQL server in your CGI.
> >
> > - Mark
> >
> >
> > ---------------------------------------------------------------------
> > Before posting, please check:
> >    http://www.mysql.com/manual.php   (the manual)
> >    http://lists.mysql.com/           (the list archive)
> >
> > To request this thread, e-mail <[EMAIL PROTECTED]>
> > To unsubscribe, e-mail <[EMAIL PROTECTED]>
> > Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
> >
>
>
> ---------------------------------------------------------------------
> Before posting, please check:
>    http://www.mysql.com/manual.php   (the manual)
>    http://lists.mysql.com/           (the list archive)
>
> To request this thread, e-mail <[EMAIL PROTECTED]>
> To unsubscribe, e-mail
> <[EMAIL PROTECTED]>
> Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
>
>
>
> ---------------------------------------------------------------------
> Before posting, please check:
>    http://www.mysql.com/manual.php   (the manual)
>    http://lists.mysql.com/           (the list archive)
>
> To request this thread, e-mail <[EMAIL PROTECTED]>
> To unsubscribe, e-mail
<[EMAIL PROTECTED]>
> Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
>
>
>
>
> ---------------------------------------------------------------------
> Before posting, please check:
>    http://www.mysql.com/manual.php   (the manual)
>    http://lists.mysql.com/           (the list archive)
>
> To request this thread, e-mail <[EMAIL PROTECTED]>
> To unsubscribe, e-mail
<[EMAIL PROTECTED]>
> Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
>
>





---------------------------------------------------------------------
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/           (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

Reply via email to