Re: SQL Access Problem

From: jaywhy (jaywhy2@home.com)
Date: 10/24/01 

Date: Tue, 23 Oct 2001 18:13:21 -0400
Subject: Re: SQL Access Problem
From: jaywhy <jaywhy2@home.com>
To: Antoine Pouch <antoine@ws-interactive.fr>, <focus-linux@securityfocus.com>
Message-ID: <B7FB63C1.39E8%jaywhy2@home.com>

on 10/22/01 12:20 PM, Antoine Pouch at antoine@ws-interactive.fr wrote:

>
> Don't run Apache as nobody. Be nice to him, give him an user account.
> Unless someone can explain why it should be run as nobody ?

It doesn't matter what user you run Apache at, because the SQL configuration
file still most be readable by the apache user. Therefore, anyone with CGI
executable access can print out the file.

Since I wrote the original message, I figured out a few things that can be
done to get around the problem. None are really that great.

1. Run suExec. Which wouldn't allow you to access files beyond your
document root, and also has a few other security checks.

2. Run proprietary web server. Proprietary web server could run as the
owner of the file and Apache as another user.

3. Run two Apache's. One as a normal user and one who as the owner of the
SQL configuration file.

The best solution is suExec by far. Does anyone run Miva or any other
commercial shopping cart programs, because they are probably all susceptible
without suExec. 

-- 
Jason Yates - jaywhy2@home.com
Network Administrator - RHCE

"Thoughtcrime does not entail death: thoughtcrime IS death."

Relevant Pages

  • [ANNOUNCE] mod_sqil: Ein RDBMS => XML Wrapper
    ... Die erste Beta von des Apache Moduls mod_sqil ist fertig. ... Das Modul ist bis jetzt ... SQIL ist eine SQL "Server Page" Erweiterung. ...
    (de.comp.datenbanken.mysql)
  • Re: Login based Site redirection
    ... without using SQL which you have to use otherwise to administer the usernames/usergroups. ... I suppose your Homepage is hosted on an Apache Server. ... With .htaccess-files you can simply set different rights to special groups/users, if a user wants to enter a site which he is not allowed to view with his current user a login-window is shown. ... Perhaps somebody has got a better idea (beside SQL, I think it's quite difficult to learn)? ...
    (alt.html)
  • Re: SQL Access Problem
    ... Subject: SQL Access Problem ... > Mifa needs that file for itself to create the database connection for ... Don't run Apache as nobody. ...
    (Focus-Linux)
  • Problem getting started
    ... PHP (with My SQL). ... I've installed these on my home PC (together with Apache web server as ... appearing in the browser correctly last week when I tried. ...
    (comp.lang.php)
  • Re: Screen power-down when game quits
    ... This is certainly Linus over my shoulder saying, "SQL and Apache are your ... concerns, grasshopper. ... No distractions. ... SQL and Apache." ...
    (alt.os.linux.suse)