I've thought about this, as far as those who write having permission to
only view what they are supposed to view/change.
Well, First I thought of an object. But with no private
variables/functions, it's easy to write another object and overload any
functions/variables.
My next thought is this, and I wonder.....
Put a php file in a directory outside of the web tree for the REAL UNIX
user account that Midgard Lite is installed in. All of it would look
like this:
---------------------------------------------------------------------
/home/~user-account-on-shared-isp/www/index.php
Directory apache AND php have access to.
/home/~user-account-on-shared-isp/resources/permission_query.php
---------------------------------------------------------------------
permisssion_query.php has a function in it, NOT an object. As far as I
know, global functions cannot be redfined, they error out, "function
already defined in this context"
---------------------------------------------------------------------
function permission_query( $user_name, $password ){
Database name = "dname";
DBaseUname = "uname";
DBasePwd = "pwd";
pseudo code
if( too many queries for unauthorized access ){
inform owner with email,
change permissions to read only
flag account in database
return "";
} else if( clean unathorized ){
return "";
} else if( authorized ){
return 'file' from dataabase;
}
}
I'm messing with bzip2, trying to set up icons, blah blah in win95, so I
haven't looked at the present midgard php files, but I will soon.
Dennis Gearon wrote:
>
> So it involves preventing the PHP module from using files that the
> initial user of the executing PHP file doesn't have permission for, that
> probably DOES have to be in mod-midgard, unless the files were ALL
> encrypted and the user needed the code word for each role to unecrypt
> it. SLOW. OTOH, if it were done in ORACLE, then each user would have the
> user permissions of their ORACLE account, sub/account and thaat could
> block it. I wonder what the permission scheme of MySQL is by comparison.
>
> Instead of making the server do the permissions, make the database do
> it!
>
> Dennis Gearon wrote:
> >
> > Sounds to me like aa better permission system, written in PHP with a
> > database backend would do the job? All files have to go through
> > index.php, right? I guess the hole is in the execution of the uploaded
> > php files, huh? THEY have lots of access, locally, just include them
> > from your file and read them. HMMMMMM.
> >
> > Matthias Englert wrote:
> > >
> > > > Is there a comparison chart, like the barebones HTML
> > > > doc I have quoted below, comparing Regular/Lite, Regular/LessFilling,
> > > > Midard?
> > >
> > > I don't think so...
> > >
> > > Don't forget that there is a security problem in midgard-lite. Everyone
> > > who has write access can get the mysql login/password.
> > >
> > > I have thought a lot about this. The problem is that you can get so many
> > > informations in php. You can get a list of classes, of functions, of
> > > class variables... you can hide nothing. I have only one idea left but
> > > this one is not thought out. So it could be complete crap:
> > >
> > > We have public functions and private functions. Every private function
> > > needs a key as parameter if you call (if the key is wrong we sleep for
> > > some time or call exit).
> > >
> > > //private function
> > > function test($key, $other, $params) {
> > >
> > > /* KEY-BEGIN */ $int_key = "this would be generated by installation and
> > > maybe perodical"; /* KEY-END */
> > >
> > > if ($key != $int_key)
> > > exit;
> > > }
> > >
> > > //public function
> > > function mgd_test_func($params) {
> > >
> > > /* KEY-BEGIN */ $int_key = "this would be generated by installation and
> > > maybe perodical"; /* KEY-END */
> > >
> > > test($int_key, "some stuff", "goes here");
> > >
> > > }
> > >
> > > Any thoughts?
> > >
> > > Of course it would be some work to change midgard-lite this way. But
> > > now, Dennis, you are there... ;-)
> > >
> > > Matthias
> > > ps: Some of the update / create / move functions and some of the more
> > > "special" functions are not implementet yet.
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > > For additional commands, e-mail: [EMAIL PROTECTED]
> >
> > --
> >
> > If You want to buy computer parts, see the reviews at:
> > http://www.cnet.com/
> > **OR EVEN BETTER COMPILATIONS**!!
> > http://sysopt.earthweb.com/userreviews/products/
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
>
> --
>
> If You want to buy computer parts, see the reviews at:
> http://www.cnet.com/
> **OR EVEN BETTER COMPILATIONS**!!
> http://sysopt.earthweb.com/userreviews/products/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
--
If You want to buy computer parts, see the reviews at:
http://www.cnet.com/
**OR EVEN BETTER COMPILATIONS**!!
http://sysopt.earthweb.com/userreviews/products/
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
