Re: Very basic security question:

From: Curt Seeliger (seeliger.curt@epa.gov)
Date: 01/24/03

  • Next message: dave: "RE: Server Configuration Standards"
    From: Curt Seeliger <seeliger.curt@epa.gov>
    To: security-basics@securityfocus.com
    Date: Fri, 24 Jan 2003 10:07:07 -0800
    
    

    On Thursday 23 January 2003 11:31 am, Brad Arlt wrote:
    >
    > Though shalt not let network services alter any critical files is the
    > best approach.
    >
    > What is normally done by myself and others I have talked to is a PHP
    > gateway server. You would write a daemon that your PHP code talks to
    > via a Unix domain socket. The protocol you use to talk to your daemon
    > would include a username and password (so the deamon can ensure it is
    > talking to an authorized user).

    As a newbie, I don't see how this is more secure. The service is still
    directly available via the network without the PHP program. Secondly, a
    hostile user could make arbitrary account changes if they were able to
    run the PHP program.

    Waiting for enlightenment,

    cur - still prefering cryptogams to cryptograms

    -- 
    Curt Seeliger, Data Ranger          
    CSC, EPA/WED contractor
    541/754-4638                      
    seeliger.curt@epa.gov