Re: Deny Access To configuration file using php scripts

From: Joachim Schipper (j.schipper_at_math.uu.nl)
Date: 03/02/05

  • Next message: Tosoni: "RE: Deny Access To configuration file using php scripts" 
    Date: Wed, 2 Mar 2005 01:26:20 +0100
To: focus-linux@securityfocus.com

    On Tue, Mar 01, 2005 at 07:54:12PM +0200, raT wrote:
    > Hello i have a web server and i have a major problem
    >
    > some of my users are trying to find my pass for my mysql database.
    >
    > the first thing they do is a
    > system ('cat /var/www/path to config file');
    > inside a php script
    >
    > my problem is to deny this file from being read throu the script since
    > the apache deamon runs as nobody
    > and it has to have read permision to the configuration file.
    >
    > my users have shell acount and can create files in the public_html folder.
    > any help?
    > snif!
    >
    > thanks in advance.

    The Apache docs seem to recommend using suExec (not sure about
    capitalization). Why not go with that? (Just remember that mod_php isn't
    inhibited - you'll want true CGI. Same goes for mod_perl, mod_python,
    etc, by the way.)

    Yes, suExec is a bother to set up. PHP's safe mode offers some of the
    same safeguards, but I do not know enough about it and would recommend
    reading up on it a lot before entrusting your security to it. It's
    better performance-wise than suExec, though.

    Not running Apache as the - actually rather powerful - nobody user and
    not leaving sensitive passwords in any file on the system might be good
    ideas, too, depending on your particular layout. Don't forget to
    disallow overriding your configuration in .htaccess files, too.

                    Joachim

  • Next message: Tosoni: "RE: Deny Access To configuration file using php scripts"

    Relevant Pages

    • RE: suEXEC
      ... Subject: suEXEC ... Apache default to running as the user apache. ... echo Content-type: text/html ... first virtual hosting is showing username cgiuser but second virtual ...
      (RedHat)
    • Re: Chmod
      ... This means that the particular apache ... process which runs a script runs with the uid and gid of that script. ... SSI programs under user IDs different from the user ID of the calling web-server. ... However, if suEXEC is improperly configured, it ...
      (comp.lang.php)
    • Re: Problem Installing SuExec on Apache 1.3
      ... In my case the answer for building apache was RTFMF. ... Apparently when done wrong there are no error messages. ... At this point I know suexec is incorrectly configured for my setup. ... I can get SuExec working by copying the missing module from a 4.9 system ...
      (freebsd-questions)
    • Re: Apache 2.2 + PHP5 + SuExec + (fast-cgi or mod_fcgid)
      ... only apache has PHP as a module. ... In addition you don't need suEXEC to do so. ... Travelex Outsourcing Pty Limited is a limited company registered in Australia with company number: ...
      (freebsd-questions)
    • Re: Suexec with Apache 1.3.29
      ... It's deja vu all over again for me Mikkel. ... >Execution of CGI works perfectly. ... Sounds like suexec didn't get compiled into Apache, ... Then my guess is that suexec isn't running. ...
      (freebsd-questions)