Re: [phplib] Newbie security query From: nathan r. hruby (nhruby <email protected>)
Date: 09/06/00

On Wed, 6 Sep 2000, John Sutton wrote:

> Hi there
>
> Sorry if this is going over old ground! I tried the mailing list archive but
> the search facility was a bit primitive.
>
> I'm using php3 + phplib for a number of sites on a web server which I control.
> I would like to improve the security of the setup. The problem I have is the
> existence of a cleartext mysql password in each customer's local.inc file!
>
> As best I can understand this issue, it comes down to this:
>
> 1) the apache daemon runs as "nobody" and therefore so does modphp. Hence all
> php code must be world readable.
>

As most cgi scripts. Safe mode is your friend-ish here. It will only
interpert scripts ownder by the same user as the first called script.
It's a performace penalty, but most security stuff is, and IMHO worth it.
safe mode can be a real bitch though, so do watch out.

> 2) Even if I put the php code outside of the apache document root, it remains
> true that any customer with either telnet access or their own cgi directory can
> read other customer's local.inc files and thus the mysql passwords.
>

I typically run apache as nobody:webmaster (where webmaster is just
adifferent gid) and make the doc roots (and all directories in them) group
sticky, so files maintain user ownership while the webser can still read
them BUT curious users can't read passwords. This of course open up a
whole can of worms in terms of the security of the webmaster group, so
please take precaution.

-n 

-- 
........
nathan hruby
Webmaster: UGA Department of Drama and Theatre
Project Maintainer: phpSlash, Carousel
nhruby <email protected>
........

---------------------------------------------------------------------
To unsubscribe, e-mail: phplib-unsubscribe <email protected>
For additional commands, e-mail: phplib-help <email protected>