>><VirtualHost 123.123.123.123>>
>>ServerName www.example.com
>>DocumentRoot /home/example/htdocs
>>php_value decryptionkey "123456789"
>></VirtualHost>>
>>
>>encode your secret data using the decryptionkey
>>before hand, and then decode it on the fly using
>>the environment variable present in only in your
>>vhost.
>>
>>I'm hoping that no one outside of your vhost can
>>see the value of that variable. (does anyone know
>>if you can pull environment variables from other
>>vhosts or if PHP can read httpd.conf?)
> Alas, if you have access to be altering httpd.conf for the "key" you suggest
> in the first place, I could just put my database secrets there and be done
> with it. Make sure only root (Apache) can read httpd.conf, and the problem
> is solved...
One could put just a db password in the vhost environment or
could do something to decrypt code on the fly.
Could we make this work in a shared environment if httpd.conf
were not world readable and the vhost contained a $cypher,
$cryptmode and a $decryptionkey variable, and files owned by
the webserver user were all read only?
Then doing something like this to protect secret code:
eval(mcrypt_decrypt ( $cipher, $decryptionkey,
join("\n",file('mysecret.inc') , $cryptmode));
> I *suppose* as an administration issue, having an ISP that
> sets one value one time for you in httpd.conf is easier than
> making them edit httpd.conf all the time for you, but...
> I don't foresee a lot of ISP's embracing this "key" solution,
> personally.
There are ways to reduce the admin overhead on stuff like this...
for example one could give every user an include file doing
something like this in httpd.conf:
## begin Apache vhosts
include /home/user1/vhost.conf
include /home/user2/vhost.conf
include /home/user3/vhost.conf
There'd have to be some validation of what was acceptable within
those files for sure... (perhaps parse the file and only allow
certain settings)...
I think if there were a list of recommending practices on how
to secure shared hosting environments on php.net consumer
pressure/competitve advantage would sway some ISP into doing
a little configuration work to protect/keep their clients happy.
-GED
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
