Re: Deny Access To configuration file using php scripts

From: Bruce Garlock (bruceg_at_garlockprinting.com)
Date: 03/01/05

  • Next message: Josh Sholes: "Re: Deny Access To configuration file using php scripts" 
    Date: Tue, 01 Mar 2005 14:32:41 -0500
To: raT <ratmole@gmail.com>

    One thing I do, is run my PHP scripts that have config files, outside of
    the webroot, so there is no way they can get at them. Since the webroot
    is kind of a chroot jail for the webuser, there is no way they can get
    below the root web directory. Do some searching on google to find out
    more specifics, but if your web root is /var/www/html, then simply put
    your critical php scripts in /var/www/secure/somewhere and then call the
    scripts from your webroot.

    Many applications do this now, for this kind of security. Take a look
    at a squirelmail RPM install, and you will see that most of the PHP
    files are actually located in /usr/lib/squirrelmail and not the web root.

    Good luck!

    - Bruce

    raT wrote:
    > Hello i have a web server and i have a major problem
    >
    > some of my users are trying to find my pass for my mysql database.
    >
    > the first thing they do is a
    > system ('cat /var/www/path to config file');
    > inside a php script
    >
    > my problem is to deny this file from being read throu the script since
    > the apache deamon runs as nobody
    > and it has to have read permision to the configuration file.
    >
    > my users have shell acount and can create files in the public_html folder.
    > any help?
    > snif!
    >
    > thanks in advance.

  • Next message: Josh Sholes: "Re: Deny Access To configuration file using php scripts"