Re: Deny Access To configuration file using php scripts

From: Joachim Schipper (j.schipper_at_math.uu.nl)
Date: 03/02/05

  • Next message: Tosoni: "RE: Deny Access To configuration file using php scripts"
    Date: Wed, 2 Mar 2005 01:26:20 +0100
    To: focus-linux@securityfocus.com
    
    

    On Tue, Mar 01, 2005 at 07:54:12PM +0200, raT wrote:
    > Hello i have a web server and i have a major problem
    >
    > some of my users are trying to find my pass for my mysql database.
    >
    > the first thing they do is a
    > system ('cat /var/www/path to config file');
    > inside a php script
    >
    > my problem is to deny this file from being read throu the script since
    > the apache deamon runs as nobody
    > and it has to have read permision to the configuration file.
    >
    > my users have shell acount and can create files in the public_html folder.
    > any help?
    > snif!
    >
    > thanks in advance.

    The Apache docs seem to recommend using suExec (not sure about
    capitalization). Why not go with that? (Just remember that mod_php isn't
    inhibited - you'll want true CGI. Same goes for mod_perl, mod_python,
    etc, by the way.)

    Yes, suExec is a bother to set up. PHP's safe mode offers some of the
    same safeguards, but I do not know enough about it and would recommend
    reading up on it a lot before entrusting your security to it. It's
    better performance-wise than suExec, though.

    Not running Apache as the - actually rather powerful - nobody user and
    not leaving sensitive passwords in any file on the system might be good
    ideas, too, depending on your particular layout. Don't forget to
    disallow overriding your configuration in .htaccess files, too.

                    Joachim


  • Next message: Tosoni: "RE: Deny Access To configuration file using php scripts"

    Relevant Pages

    • Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure
      ... The suEXEC feature provides Apache users the ability to run CGI and SSI programs ... under user IDs different from the user ID of the calling web server. ... Normally php and cgi scripts are not allowed to read files with the apache user- ...
      (Full-Disclosure)
    • Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure
      ... By escalating privileges even to just the level of the HTTPD would allow one to read/write to content outside of their web hosting account. ... I have personally been in situations where I have had to advise sys admins that suExec was properly setup & my web hosting account was capable of shutting down the HTTPD itself, and in other situations capable of reading things like wordpress config files from other hosting accounts. ... Time to Write a Real Root exploit and dont waste the Time with sysadmins that know how to set a flag in httpd.conf, apache devs included. ... Normally php and cgi scripts are not allowed to read files with the apache user- ...
      (Full-Disclosure)
    • RE: suEXEC
      ... Subject: suEXEC ... Apache default to running as the user apache. ... echo Content-type: text/html ... first virtual hosting is showing username cgiuser but second virtual ...
      (RedHat)
    • Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure
      ... that suExec was properly setup & my web hosting account was capable of (in ... Time to Write a Real Root exploit and dont waste the Time with sysadmins that know how to set a flag in httpd.conf, apache devs included. ... under user IDs different from the user ID of the calling web server. ... Normally php and cgi scripts are not allowed to read files with the apache user- ...
      (Full-Disclosure)
    • Re: Chmod
      ... This means that the particular apache ... process which runs a script runs with the uid and gid of that script. ... SSI programs under user IDs different from the user ID of the calling web-server. ... However, if suEXEC is improperly configured, it ...
      (comp.lang.php)