[PHP] Security Question (from Chris's OSCON 2004 talk)
Hi folks. Thanks to all for the replies to my question about security on shared hosting the other day. I've contacted my hosting provider and they will be fixing the issues I've pointed out to them. I've got a question about a section of Chris's article on PHP security from his OSCON 2004 talk. When talking about protecting database credentials, Chris mentions creating a file (readable only by root) with the following: SetEnv DB_USER myuser SetEnv DB_PASS mypass and then using this: Include /path/to/secret-stuff in the httpd.conf file such that they show up in your $_SERVER array. I assume that the include directive would be declared inside the section of the httpd.conf file which defines everything for my site? This is probably a stupid question but I want to make sure of what I'm asking my hosting provider before I send my email. I'm also going to be asking them to set another environment variable, INC_PATH, and then I'll use this to reference the files which I'm including from outside my webroot, such that even if someone reads the files within my webroot, they won't see either the db username or password, nor will they see the path from which I am including sensitive files. Thoughts? Cheers and TIA, Pablo -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Security Question (from Chris's OSCON 2004 talk)
Hi folks. Sorry if this gets posted twice, but I sent it originally almost an hour ago and it hasn't shown up on the list yet. Thanks to all for the replies to my question about security on shared hosting the other day. I've contacted my hosting provider and they will be fixing the issues I've pointed out to them. I've got a question about a section of Chris's article on PHP security from his OSCON 2004 talk. When talking about protecting database credentials, Chris mentions creating a file (readable only by root) with the following: SetEnv DB_USER myuser SetEnv DB_PASS mypass and then using this: Include /path/to/secret-stuff in the httpd.conf file such that they show up in your $_SERVER array. I assume that the include directive would be declared inside the section of the httpd.conf file which defines everything for my site? This is probably a stupid question but I want to make sure of what I'm asking my hosting provider before I send my email. I'm also going to be asking them to set another environment variable, INC_PATH, and then I'll use this to reference the files which I'm including from outside my webroot, such that even if someone reads the files within my webroot, they won't see either the db username or password, nor will they see the path from which I am including sensitive files. Thoughts? Cheers and TIA, Pablo -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Security Question (from Chris's OSCON 2004 talk)
--- Pablo Gosse [EMAIL PROTECTED] wrote: I've got a question about a section of Chris's article on PHP security from his OSCON 2004 talk. When talking about protecting database credentials, Chris mentions creating a file (readable only by root) with the following: SetEnv DB_USER myuser SetEnv DB_PASS mypass and then using this: Include /path/to/secret-stuff in the httpd.conf file such that they show up in your $_SERVER array. The credit for this approach belongs to David Sklar and Adam Trachtenberg, not me. I just happen to think it's a good approach. :-) I know you weren't explicitly giving me credit, but I wanted to make sure. I assume that the include directive would be declared inside the section of the httpd.conf file which defines everything for my site? Yes, and I think this is a point that I left out. I probably thought it was obvious, but many people have emailed me about this. If the Apache Include directive given is not within your VirtualHost block or otherwise restricted to one user, then every user on the server can access that data. So, you want to make sure this directive only applies to you. I'm also going to be asking them to set another environment variable, INC_PATH, and then I'll use this to reference the files which I'm including from outside my webroot, such that even if someone reads the files within my webroot, they won't see either the db username or password, nor will they see the path from which I am including sensitive files. Thoughts? This is obscurity, which can be somewhat helpful, but don't rely on this for any sort of protection. While it's true that someone can't easily determine where you have your modules stored, this discovery isn't challenging enough to be considered a safeguard. I think it's best to keep anything that you consider sensitive in the database (this is for shared hosts only, mind you), and use the technique described above to protect your database access credentials. Hope that helps. Chris = Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly HTTP Developer's Handbook - Sams Coming December 2004http://httphandbook.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Security Question (from Chris's OSCON 2004 talk)
On Friday 01 October 2004 00:59, Pablo Gosse wrote: When talking about protecting database credentials, Chris mentions creating a file (readable only by root) with the following: SetEnv DB_USER myuser SetEnv DB_PASS mypass and then using this: Include /path/to/secret-stuff in the httpd.conf file such that they show up in your $_SERVER array. I assume that the include directive would be declared inside the section of the httpd.conf file which defines everything for my site? This is probably a stupid question but I want to make sure of what I'm asking my hosting provider before I send my email. You can also have the following inside your virtual hosts containers: php_value mysql.default_host localhost php_value mysql.default_user db_user_name php_value mysql.default_password db_passwd Then simply use: $link = mysql_connect(); to connect to your database. Obviously your host should make sure httpd.conf is readable only by root. -- Jason Wong - Gremlins Associates - www.gremlins.biz Open Source Software Systems Integrators * Web Design Hosting * Internet Intranet Applications Development * -- Search the list archives before you post http://marc.theaimsgroup.com/?l=php-general -- /* Grelb's Reminder: Eighty percent of all people consider themselves to be above average drivers. */ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php