RE: Deny Access To configuration file using php scripts

From: Tosoni (jean-pierre.tosoni_at_libertysurf.fr)
Date: 03/01/05

  • Next message: Brent Meshier: "RE: Deny Access To configuration file using php scripts"
    To: "focus-linux@securityfocus.com" <focus-linux@securityfocus.com>
    Date: Tue, 1 Mar 2005 21:13:16 +-100
    
    

    Three-folded approach:
    1) the config file must be owned by 'nobody' and readable only by 'nobody'. This takes care of the shell accounts.

    2) use php safe_mode, this takes care of direct file access

    3) specify a PHP safe_mode_exec_dir which will contain the bare minimum safe executables (dont put 'cat' inside, or replace it by a version which refuses to cat sensitive info). This directory and its parents must not be writeable by your users.

    I suggest that you remove shell accounts to the bad guys as a punishment...

    From raT on march 1, 2005:
    > the first thing they do is a
    > system ('cat /var/www/path to config file');
    > inside a php script

    > my problem is to deny this file from being read throu the script since
    > the apache deamon runs as nobody
    > and it has to have read permision to the configuration file.

    > my users have shell acount and can create files in the public_html folder.


  • Next message: Brent Meshier: "RE: Deny Access To configuration file using php scripts"