On Tuesday 10 February 2004 09:28 am, Lewis Thompson wrote: > On Tue, Feb 10, 2004 at 10:12:09AM -0500, Lowell Gilbert wrote: > > Lewis Thompson <[EMAIL PROTECTED]> writes: > > > I am worried that because the script must be read/writeable by the > > > Apache user (www) that anybody that can write a PHP script on my > > > machine can read the auth script and read the passwords that would be > > > contained within -- those to my MySQL server. > > > > Why would the script be readable or writeable by any user? > > It only needs to be executable, right? > > Well, since it's an interpreted script (it's some standalone PHP) in > order to execute it, the user must be able to read it. Since the script > holds passwds that means that any user with the ability to run it can > get the passwds (in my case to access my MySQL server). > > This is a ``flaw'' with the way Apache works because everything Apache > executes must be +rw for the Apache user (www). As a result any person > able to write PHP code (all of my users) can read anything that the > Apache user can, because mod_php executes as the Apache user. > > There are security features in PHP (safe_mode) but these conflict with > a large number of PHP scripts. I'm trying to work it out this way now > but it's a lot of hassle. > > Thanks for your response, > > -lewiz.
Check the syntax for the .htaccess files in the httpd.conf file. This is a file that must be non-readable by regular users via php, but apache has a filter written within the httpd.conf file to disallow access. I know it's about 3/4 of the way down the page. HTH -- Eric F Crist AdTech Integrated Systems, Inc (612) 998-3588
pgp00000.pgp
Description: signature