Re: Deny Access To configuration file using php scripts
From: Igor Plisco (igor_at_plisco.ru)
Date: Wed, 02 Mar 2005 16:27:46 +0300 To: raT <firstname.lastname@example.org>
Ones upon a time raT shaped electrons to tell:
> some of my users are trying to find my pass for my mysql database.
> the first thing they do is a
> system ('cat /var/www/path to config file');
> inside a php script
Remember that there is another possibility to read the file. It works
even under suExec user environment, if 1) your site works under user
nobody (or www in some configurations), 2) the file with mysql password
is placed on the same partition with user homes.
Suppose you have the file mysql_passwd containing MySQL password with
$ ls -l mysql_passwd
-r-------- 1 nobody nobody 1234 Feb 25 19:17 mysql_passwd
The user, say, user1, cann't read file content neither from shell nor
from hist chi-bin scripts 9in suExec environment). But he can execute
following command in his shell or cgi-bin:
user1$ ln mysql_passwd ~/public_html/a.html
In his browser he opens the page:
Run your server in suExec environment under special user account not
equal to 'nobody'.