This is a problem that affects many webhosts... the issue is more of trusting other users who have shell access to the server in question... I have been trying to help a hosting company address this issue, but short of dissallowing shell/ssh access their is no way to stop another user logging into the shell and browser other peoples files... If I am wrong then I would like to be enlightened!
Which is is hy the company above only give out ssh accounts to users with valid reasons for needing ssh access. > -----Original Message----- > From: Jonathan Rosenberg [mailto:[EMAIL PROTECTED]] > Sent: 28 June 2002 2:52 PM > To: Erik Price > Cc: php-list > Subject: RE: [PHP] Keeping "Secrets" in PHP Files > > > Thanks for the reply. But changing the ground read permission of > the PHP files wouldn't help, either, would it? Because the other > users who have web sites can just create a PHP file that reads my > PHP files from one of their pages (which would be running in > group "websecret"). > > Seems like this just opens up the same hole. Yes? > > > -----Original Message----- > > From: Erik Price [mailto:[EMAIL PROTECTED]] > > Sent: Friday, June 28, 2002 9:43 AM > > To: Jonathan Rosenberg > > Cc: php-list > > Subject: Re: [PHP] Keeping "Secrets" in PHP Files > > > > > > > > On Friday, June 28, 2002, at 09:30 AM, Jonathan > > Rosenberg wrote: > > > > > Let's say I am in a shared server environment & the > > provider does > > > NOT have safe_mode turned on. In that case, it > > seems to me that > > > it is "insecure" to keep "secrets" (e.g., DB > > passwords) in a PHP > > > file that is executed by the server. > > > > > > I say this because any other users of that shared > > host can read > > > the PHP file & obtain the secret. There does not > > seem to be any > > > way around this (once again, I am assuming safe_mode is NOT > > > turned on). > > > > Think about it in terms of the permissions on the > > file. The people who > > can read this file are explicitly defined in your permissions. > > > > The catch-22 is that the web server is usually not run > > as root, so it > > doens't automatically get to see your files -- you > > need to give it > > permission to read them just as you would any other > > user. In a shared > > system, if you give "others" permission to read the > > file, the web server > > user can now read the file, but so can everyone else. > > > > However, if there were some way for you to change the > > group association > > of the file to, say, the "websecret" group, and then > > you could close off > > the read permissons of "others" on that file. As long > > as the web server > > is a member of "websecret", and you grant read > > permissions to the group > > for that file, then the web server can read it. > > > > The trick is that in order to change the file's group > > association to > > "websecret", you probably need to be either root or a > > member of > > "websecret", unless the system admins have provided > > some kind of script > > that does this on your behalf. Which means that > > anyone else who has > > this ability can read the file too (since they are a member of > > "websecret"). > > > > It's tough. Shared hosting security is a difficult issue. > > > > > > > > > > Erik > > > > > > > > > > ---- > > > > Erik Price > > Web Developer Temp > > Media Lab, H.H. Brown > > [EMAIL PROTECTED] > > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
