RE: [PHP] Securing php files on shared servers
Hi everyone, I found the same problem regarding security issue with database password file. Does anyone has solution for that? thanks Hardik John W. Holmes [EMAIL PROTECTED] wrote: Major security question: I manage a shared Linux web server running PHP 4.2.3. Apache must have read permissions on a php file necessary for a web application. For example a conf.php file containing a MySQL password that is stored outside the web directory: -rw-r- 1 q apache 3522 Oct 17 06:39 conf.php Because this file is readable by apache, ANY user on the server can write the following script: which upon execution the conf.php file will be read by apache and exposed to the user. Example understood? How can a file be secured so it can still be used by apache, but inaccessable by any other user? Is there a PHP ini configuration to force apache to run as the user that is the owner of the php files being executed? Either turn on safe_mode or use the CGI instead of the module. ---John W. Holmes... PHP Architect - A monthly magazine for PHP Professionals. Get your copy today. http://www.phparch.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php - Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now
RE: [PHP] Securing php files on shared servers
Yeah, on your DBConnection include file (where your username/pass is kept), encrypt the page with a encoder like IonCube (http://www.ioncube.com) they charge by the amount of code, so for say, two connection lines, it's like $1.00. Check out there site, after you sign up for an account you can select your script and the web-interface will tell you how much it would cost to encode. On Mon, 2003-02-03 at 10:02, Hardik Doshi wrote: Hi everyone, I found the same problem regarding security issue with database password file. Does anyone has solution for that? thanks Hardik John W. Holmes [EMAIL PROTECTED] wrote: Major security question: I manage a shared Linux web server running PHP 4.2.3. Apache must have read permissions on a php file necessary for a web application. For example a conf.php file containing a MySQL password that is stored outside the web directory: -rw-r- 1 q apache 3522 Oct 17 06:39 conf.php Because this file is readable by apache, ANY user on the server can write the following script: which upon execution the conf.php file will be read by apache and exposed to the user. Example understood? How can a file be secured so it can still be used by apache, but inaccessable by any other user? Is there a PHP ini configuration to force apache to run as the user that is the owner of the php files being executed? Either turn on safe_mode or use the CGI instead of the module. ---John W. Holmes... PHP Architect - A monthly magazine for PHP Professionals. Get your copy today. http://www.phparch.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php - Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now -- Adam Voigt ([EMAIL PROTECTED]) The Cryptocomm Group My GPG Key: http://64.238.252.49:8080/adam_at_cryptocomm.asc signature.asc Description: This is a digitally signed message part
[PHP] Securing php files on shared servers
Major security question:
I manage a shared Linux web server running PHP 4.2.3. Apache must have
read permissions on a php file necessary for a web application. For
example a conf.php file containing a MySQL password that is stored
outside the web directory:
-rw-r-1 qapache 3522 Oct 17 06:39 conf.php
Because this file is readable by apache, ANY user on the server can write
the following script:
? print_r(file('/home/q/conf.php')); ?
which upon execution the conf.php file will be read by apache and exposed
to the user.
Example understood?
How can a file be secured so it can still be used by apache, but
inaccessable by any other user? Is there a PHP ini configuration to force
apache to run as the user that is the owner of the php files being executed?
Gosh.
Quinn
___
strangecode :: internet consultancy
http://www.strangecode.com/
USA: +1 530 624 4410
Europe: +33 6 81 78 16 11
___
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Securing php files on shared servers
Major security question:
I manage a shared Linux web server running PHP 4.2.3. Apache must have
read permissions on a php file necessary for a web application. For
example a conf.php file containing a MySQL password that is stored
outside the web directory:
-rw-r-1 qapache 3522 Oct 17 06:39 conf.php
Because this file is readable by apache, ANY user on the server can
write
the following script:
? print_r(file('/home/q/conf.php')); ?
which upon execution the conf.php file will be read by apache and
exposed
to the user.
Example understood?
How can a file be secured so it can still be used by apache, but
inaccessable by any other user? Is there a PHP ini configuration to
force
apache to run as the user that is the owner of the php files being
executed?
Either turn on safe_mode or use the CGI instead of the module.
---John W. Holmes...
PHP Architect - A monthly magazine for PHP Professionals. Get your copy
today. http://www.phparch.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
