RE: Deny Access To configuration file using php scripts

• Previous message: Joachim Schipper: "Re: Deny Access To configuration file using php scripts"
• Maybe in reply to: raT: "Deny Access To configuration file using php scripts"
• Next in thread: Brent Meshier: "RE: Deny Access To configuration file using php scripts"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "focus-linux@securityfocus.com" <focus-linux@securityfocus.com>
Date: Tue, 1 Mar 2005 21:13:16 +-100

Three-folded approach:
1) the config file must be owned by 'nobody' and readable only by 'nobody'. This takes care of the shell accounts.

2) use php safe_mode, this takes care of direct file access

3) specify a PHP safe_mode_exec_dir which will contain the bare minimum safe executables (dont put 'cat' inside, or replace it by a version which refuses to cat sensitive info). This directory and its parents must not be writeable by your users.

I suggest that you remove shell accounts to the bad guys as a punishment...

From raT on march 1, 2005:
> the first thing they do is a
> system ('cat /var/www/path to config file');
> inside a php script

> my problem is to deny this file from being read throu the script since
> the apache deamon runs as nobody
> and it has to have read permision to the configuration file.

> my users have shell acount and can create files in the public_html folder.

• Previous message: Joachim Schipper: "Re: Deny Access To configuration file using php scripts"
• Maybe in reply to: raT: "Deny Access To configuration file using php scripts"
• Next in thread: Brent Meshier: "RE: Deny Access To configuration file using php scripts"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]