[PHP] PHP as apache module and security.
Hello! Recently someone asked how to ensure that no one will read pas sword from php file. The only response I noticed was to create group and add apache user (often nobody) to that group. I consi dered this and I can not see what would stop other users from writing php script (run also as nobody) which reads filesystem with permissions of apache? Is there a method of making php as module really secure? Regards, Andrzej -- http://kokosz.horyzont.net http://www.earthdawn.pl -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] PHP as apache module and security.
Hi, What do you think about the following configuration: 1) safe-mode on : this ensures that a php script can read only files that are owned by the same Unix user on the machine; then just check that people having a right to use php and mysql on your box have all a different corresponding Unix user. 2) open-basedir : put this parameter for each php directory to this directory; then the scripts cannot access files that are elsewhere on the server In Apache httpd.conf it would be like: Directory /path-to-a-php-directory AddType application/x-httpd-php .php .php4 AddType application/x-httpd-php-source .phps php_admin_value open_basedir '/path-to-a-php-directory' /Directory Has someone tested it ? Do you see a problem in it ? Estelle Andrzej Swedrzynski [EMAIL PROTECTED] a écrit dans le message news: [EMAIL PROTECTED] Hello! Recently someone asked how to ensure that no one will read pas sword from php file. The only response I noticed was to create group and add apache user (often nobody) to that group. I consi dered this and I can not see what would stop other users from writing php script (run also as nobody) which reads filesystem with permissions of apache? Is there a method of making php as module really secure? Regards, Andrzej -- http://kokosz.horyzont.net http://www.earthdawn.pl -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] PHP as apache module and security.
On Sun, 6 May 2001, Estelle Martin wrote: What do you think about the following configuration: 1) safe-mode on : this ensures that a php script can read only files that are owned by the same Unix user on the machine; then just check that people having a right to use php and mysql on your box have all a different corresponding Unix user. I can not use it because I need to create files dynamically and they will have ,,nobody'' as an user. Further executing scripts have no way to read those files. 2) open-basedir : put this parameter for each php directory to this directory; then the scripts cannot access files that are elsewhere on the server In Apache httpd.conf it would be like: Directory /path-to-a-php-directory AddType application/x-httpd-php .php .php4 AddType application/x-httpd-php-source .phps php_admin_value open_basedir '/path-to-a-php-directory' /Directory Has someone tested it ? Do you see a problem in it ? I haven't tested it, however it looks nice and I'll talk to my server's owner about it. There is however one bad feature of this method, the administroation. For every user and every application administrator has to create an entry in httpd.conf. Anyway it's his/her problem... Thanks for suggestions! Regards, Andrzej -- http://kokosz.horyzont.net http://www.earthdawn.pl -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
