Thanks for the reply. But changing the ground read permission of the PHP files wouldn't help, either, would it? Because the other users who have web sites can just create a PHP file that reads my PHP files from one of their pages (which would be running in group "websecret").
Seems like this just opens up the same hole. Yes? > -----Original Message----- > From: Erik Price [mailto:[EMAIL PROTECTED]] > Sent: Friday, June 28, 2002 9:43 AM > To: Jonathan Rosenberg > Cc: php-list > Subject: Re: [PHP] Keeping "Secrets" in PHP Files > > > > On Friday, June 28, 2002, at 09:30 AM, Jonathan > Rosenberg wrote: > > > Let's say I am in a shared server environment & the > provider does > > NOT have safe_mode turned on. In that case, it > seems to me that > > it is "insecure" to keep "secrets" (e.g., DB > passwords) in a PHP > > file that is executed by the server. > > > > I say this because any other users of that shared > host can read > > the PHP file & obtain the secret. There does not > seem to be any > > way around this (once again, I am assuming safe_mode is NOT > > turned on). > > Think about it in terms of the permissions on the > file. The people who > can read this file are explicitly defined in your permissions. > > The catch-22 is that the web server is usually not run > as root, so it > doens't automatically get to see your files -- you > need to give it > permission to read them just as you would any other > user. In a shared > system, if you give "others" permission to read the > file, the web server > user can now read the file, but so can everyone else. > > However, if there were some way for you to change the > group association > of the file to, say, the "websecret" group, and then > you could close off > the read permissons of "others" on that file. As long > as the web server > is a member of "websecret", and you grant read > permissions to the group > for that file, then the web server can read it. > > The trick is that in order to change the file's group > association to > "websecret", you probably need to be either root or a > member of > "websecret", unless the system admins have provided > some kind of script > that does this on your behalf. Which means that > anyone else who has > this ability can read the file too (since they are a member of > "websecret"). > > It's tough. Shared hosting security is a difficult issue. > > > > > Erik > > > > > ---- > > Erik Price > Web Developer Temp > Media Lab, H.H. Brown > [EMAIL PROTECTED] > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
