RE: Deny Access To configuration file using php scripts

From: Tosoni (jean-pierre.tosoni_at_libertysurf.fr)
Date: 03/01/05

  • Next message: Brent Meshier: "RE: Deny Access To configuration file using php scripts"
    To: "focus-linux@securityfocus.com" <focus-linux@securityfocus.com>
    Date: Tue, 1 Mar 2005 21:13:16 +-100
    
    

    Three-folded approach:
    1) the config file must be owned by 'nobody' and readable only by 'nobody'. This takes care of the shell accounts.

    2) use php safe_mode, this takes care of direct file access

    3) specify a PHP safe_mode_exec_dir which will contain the bare minimum safe executables (dont put 'cat' inside, or replace it by a version which refuses to cat sensitive info). This directory and its parents must not be writeable by your users.

    I suggest that you remove shell accounts to the bad guys as a punishment...

    From raT on march 1, 2005:
    > the first thing they do is a
    > system ('cat /var/www/path to config file');
    > inside a php script

    > my problem is to deny this file from being read throu the script since
    > the apache deamon runs as nobody
    > and it has to have read permision to the configuration file.

    > my users have shell acount and can create files in the public_html folder.


  • Next message: Brent Meshier: "RE: Deny Access To configuration file using php scripts"

    Relevant Pages

    • Re: More include issues
      ... I have nobody to turn to except ... Coldfusion, MSSQL, Informix, PHP, oh my! ... creating a test page and play around with it using echo and so on to see ...
      (php.general)
    • RE: [PHP] I have a problem with nobody! SOLVED!
      ... [PHP] I have a problem with nobody! ... What is I wanted to change "nobody" as the sender to, ... PHP General Mailing List ... To unsubscribe, visit: http://www.php.net/unsub.php ...
      (php.general)
    • RE: [PHP] I have a problem with nobody!
      ... What is I wanted to change "nobody" as the sender to, ... Larry Shmuckatelli ... What is the php driving force that controls the "who sent me" function? ... scalable system for accessing system services | ...
      (php.general)
    • Re: What does a semicolon do at the beginning of a line?
      ... > will produce a PARSE ERROR if somebody wants to see your file! ... As the routine reading the config file is quite complex I suppose (in ... Jochen Daum - CANS Ltd. PHP DB Edit Toolkit -- PHP scripts for building database editing interfaces. ...
      (comp.lang.php)
    • Re: Static Array vs MySQL query
      ... > currently in a config file, and takes up 1.4kb, so I can only assume ... special script when there is any updates that updates a include file with ... and dynamically make a php file that will be stored. ...
      (php.general)