RE: Deny Access To configuration file using php scripts
From: Tosoni (jean-pierre.tosoni_at_libertysurf.fr)
To: "email@example.com" <firstname.lastname@example.org> Date: Tue, 1 Mar 2005 21:13:16 +-100
1) the config file must be owned by 'nobody' and readable only by 'nobody'. This takes care of the shell accounts.
2) use php safe_mode, this takes care of direct file access
3) specify a PHP safe_mode_exec_dir which will contain the bare minimum safe executables (dont put 'cat' inside, or replace it by a version which refuses to cat sensitive info). This directory and its parents must not be writeable by your users.
I suggest that you remove shell accounts to the bad guys as a punishment...
From raT on march 1, 2005:
> the first thing they do is a
> system ('cat /var/www/path to config file');
> inside a php script
> my problem is to deny this file from being read throu the script since
> the apache deamon runs as nobody
> and it has to have read permision to the configuration file.
> my users have shell acount and can create files in the public_html folder.