Re: Deny Access To configuration file using php scripts

From: Joachim Schipper (j.schipper_at_math.uu.nl)
Date: 03/02/05

  • Next message: Tosoni: "RE: Deny Access To configuration file using php scripts"
    Date: Wed, 2 Mar 2005 01:26:20 +0100
    To: focus-linux@securityfocus.com
    
    

    On Tue, Mar 01, 2005 at 07:54:12PM +0200, raT wrote:
    > Hello i have a web server and i have a major problem
    >
    > some of my users are trying to find my pass for my mysql database.
    >
    > the first thing they do is a
    > system ('cat /var/www/path to config file');
    > inside a php script
    >
    > my problem is to deny this file from being read throu the script since
    > the apache deamon runs as nobody
    > and it has to have read permision to the configuration file.
    >
    > my users have shell acount and can create files in the public_html folder.
    > any help?
    > snif!
    >
    > thanks in advance.

    The Apache docs seem to recommend using suExec (not sure about
    capitalization). Why not go with that? (Just remember that mod_php isn't
    inhibited - you'll want true CGI. Same goes for mod_perl, mod_python,
    etc, by the way.)

    Yes, suExec is a bother to set up. PHP's safe mode offers some of the
    same safeguards, but I do not know enough about it and would recommend
    reading up on it a lot before entrusting your security to it. It's
    better performance-wise than suExec, though.

    Not running Apache as the - actually rather powerful - nobody user and
    not leaving sensitive passwords in any file on the system might be good
    ideas, too, depending on your particular layout. Don't forget to
    disallow overriding your configuration in .htaccess files, too.

                    Joachim


  • Next message: Tosoni: "RE: Deny Access To configuration file using php scripts"