>>ServerName www.example.com
>>DocumentRoot /home/example/htdocs
>>php_value decryptionkey "123456789"
>>encode your secret data using the decryptionkey 
>>before hand, and then decode it on the fly using
>>the environment variable present in only in your 
>>I'm hoping that no one outside of your vhost can
>>see the value of that variable. (does anyone know 
>>if you can pull environment variables from other 
>>vhosts or if PHP can read httpd.conf?)

> Alas, if you have access to be altering httpd.conf for the "key" you suggest
> in the first place, I could just put my database secrets there and be done
> with it.  Make sure only root (Apache) can read httpd.conf, and the problem
> is solved...

One could put just a db password in the vhost environment or 
could do something to decrypt code on the fly. 

Could we make this work in a shared environment if httpd.conf 
were not world readable and the vhost contained a $cypher, 
$cryptmode and a $decryptionkey variable, and files owned by
the webserver user were all read only? 

Then doing something like this to protect secret code:

eval(mcrypt_decrypt ( $cipher, $decryptionkey,
join("\n",file('mysecret.inc') , $cryptmode));

> I *suppose* as an administration issue, having an ISP that 
> sets one value one time for you in httpd.conf is easier than 
> making them edit httpd.conf all the time for you, but...
> I don't foresee a lot of ISP's embracing this "key" solution, 
> personally.

There are ways to reduce the admin overhead on stuff like this...
for example one could give every user an include file doing 
something like this in httpd.conf:

## begin Apache vhosts
include /home/user1/vhost.conf
include /home/user2/vhost.conf
include /home/user3/vhost.conf

There'd have to be some validation of what was acceptable within 
those files for sure... (perhaps parse the file and only allow 
certain settings)... 

I think if there were a list of recommending practices on how 
to secure shared hosting environments on php.net consumer 
pressure/competitve advantage would sway some ISP into doing 
a little configuration work to protect/keep their clients happy.


PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to