[phplib] Newbie security query From: John Sutton (john <email protected>)
Date: 09/06/00

Hi there

Sorry if this is going over old ground! I tried the mailing list archive but
the search facility was a bit primitive.

I'm using php3 + phplib for a number of sites on a web server which I control.
I would like to improve the security of the setup. The problem I have is the
existence of a cleartext mysql password in each customer's local.inc file!

As best I can understand this issue, it comes down to this:

1) the apache daemon runs as "nobody" and therefore so does modphp. Hence all
php code must be world readable.

2) Even if I put the php code outside of the apache document root, it remains
true that any customer with either telnet access or their own cgi directory can
read other customer's local.inc files and thus the mysql passwords.

Is this analysis correct? Are there any solutions to this problem? - other than
running php as cgi under suexec which will incur a performance penalty, plus no
doubt other gotcha's which I haven't investigated?

TIA

***************************************************
John Sutton
SCL Computer Services
URL http://www.scl.co.uk/
Tel. +44 (0) 1239 621021
***************************************************

---------------------------------------------------------------------
To unsubscribe, e-mail: phplib-unsubscribe <email protected>
For additional commands, e-mail: phplib-help <email protected>