Liam MacKenzie wrote:
>permission to create tables in other databases, but the can
>still browse them and view the information.
>
I do not know MySQL but I'd be very surprised if this was not a database
creation/configuration issue. In postgres, unless given permission, I
cannot even connect to someone else's database.
>
>Any the example I used for the named.conf was a bad one.
>They cannot delete this, but they can view it's contents. How
>can I restrict all PHP functions to
>the one directory? So if a user makes a file like this:
><?
>include ("../../../../../../../../../etc/eXtremail/eXtremail.conf");
>?>
>
>Instead of printing the conf file the SMTP password in it,
>it'll return an error.
>
I think this is a real general security issue, not limited to PHP. Some
sites do not have write access to anything in cgi-bin but have some
scripts which may be read and used. Now with perl and php, executing
ordinary commands becomes easier.
I have an account on a webhosting (GNU Linux) computer, only ftp and web
access and to my area only (no shell). Apache has a "document root" for
me and I cannot go above it. The ftp access has a ftproot for me and I
cannot go above it. Last night I ftp'ed a little perl (it does not have
php) script into my directory, chmod to 755 and executed it (by its
url). It did a "cat /etc/httpd/conf/httpd.conf > filename". I then
ftp'ed it back to me. I can only read/modify files for which my
username/group has permissions but its enough to give me all the login
names if I wanted them.
Used as cgi-bin type scripts perl, php (and anything else) has no
concept of a document root, so root is the real root. A compiled C
program uploaded can do the same.
I feel an execution parser is needed so that only certain types of
programs may be executed and the concept of a execution root to users
directories. Read/execute access to some things outside are necessary
though.
What do others on the list think? This issue must have come up before
somewhere so is there an accepted solution and am I missing something?
Regards
Chris
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
