Re: Shell script containing passwords.
Lewis Thompson [EMAIL PROTECTED] writes: I'm trying to write a script to use with the Apache auth plugin mod_auth_any. I have the whole setup working, bar the script that does the authentication. I am worried that because the script must be read/writeable by the Apache user (www) that anybody that can write a PHP script on my machine can read the auth script and read the passwords that would be contained within -- those to my MySQL server. Why would the script be readable or writeable by any user? It only needs to be executable, right? Is there any way I can have a script that is not readable by a user, while still allowing that user to execute it? Maybe through using a wrapper of some sort? I do not have UFS2 so I cannot use ACLs. Any suggestions for this as I'm stumped. Thanks very much, Check how Apache normally deals with this; I haven't used the auth module, but I can't believe that it requires insecure practices... ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Shell script containing passwords.
On Tue, Feb 10, 2004 at 10:12:09AM -0500, Lowell Gilbert wrote: Lewis Thompson [EMAIL PROTECTED] writes: I am worried that because the script must be read/writeable by the Apache user (www) that anybody that can write a PHP script on my machine can read the auth script and read the passwords that would be contained within -- those to my MySQL server. Why would the script be readable or writeable by any user? It only needs to be executable, right? Well, since it's an interpreted script (it's some standalone PHP) in order to execute it, the user must be able to read it. Since the script holds passwds that means that any user with the ability to run it can get the passwds (in my case to access my MySQL server). This is a ``flaw'' with the way Apache works because everything Apache executes must be +rw for the Apache user (www). As a result any person able to write PHP code (all of my users) can read anything that the Apache user can, because mod_php executes as the Apache user. There are security features in PHP (safe_mode) but these conflict with a large number of PHP scripts. I'm trying to work it out this way now but it's a lot of hassle. Thanks for your response, -lewiz. -- I was so much older then, I'm younger than that now. --Bob Dylan, 1964. -| msn:[EMAIL PROTECTED] | jabber:[EMAIL PROTECTED] | url:www.lewiz.org |- pgp0.pgp Description: PGP signature
Re: Shell script containing passwords.
Lewis Thompson wrote: Hi, I'm trying to write a script to use with the Apache auth plugin mod_auth_any. I have the whole setup working, bar the script that does the authentication. I am worried that because the script must be read/writeable by the Apache user (www) that anybody that can write a PHP script on my machine can read the auth script and read the passwords that would be contained within -- those to my MySQL server. All you can do really is store the passwords themselves in an include file that you put in the most secure place possible, preferably not in webspace. But I imagine you have this covered. Is there any way I can have a script that is not readable by a user, while still allowing that user to execute it? Maybe through using a wrapper of some sort? I do not have UFS2 so I cannot use ACLs. Not that I know of, but have you considered compiling apache with suexec? Assuming your other users have seperate logins, this might work. You can have apache execute scripts as the appropriate user, not www. That way, a 700 permission should prevent other users from reading your scripts. PWR. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Shell script containing passwords.
On Tue, Feb 10, 2004 at 03:56:08PM +, Peter Risdon wrote: Lewis Thompson wrote: I am worried that because the script must be read/writeable by the Apache user (www) that anybody that can write a PHP script on my machine can read the auth script and read the passwords that would be contained within -- those to my MySQL server. All you can do really is store the passwords themselves in an include file that you put in the most secure place possible, preferably not in webspace. But I imagine you have this covered. Yeah, but this is really security through obscurity, not something I'm keen on ;) Is there any way I can have a script that is not readable by a user, while still allowing that user to execute it? Maybe through using a wrapper of some sort? I do not have UFS2 so I cannot use ACLs. Not that I know of, but have you considered compiling apache with suexec? Assuming your other users have seperate logins, this might work. You can have apache execute scripts as the appropriate user, not www. That way, a 700 permission should prevent other users from reading your scripts. I read some stuff about this. I got the impression it required using PHP as a CGI, instead of mod_php. Am I wrong in thinking this? The overhead of using PHP as CGI is a little too high because the server is already pretty stretched... Thanks very much, -lewiz. -- I was so much older then, I'm younger than that now. --Bob Dylan, 1964. -| msn:[EMAIL PROTECTED] | jabber:[EMAIL PROTECTED] | url:www.lewiz.org |- pgp0.pgp Description: PGP signature
Re: Shell script containing passwords.
Lewis Thompson wrote: On Tue, Feb 10, 2004 at 03:56:08PM +, Peter Risdon wrote: Lewis Thompson wrote: I am worried that because the script must be read/writeable by the Apache user (www) that anybody that can write a PHP script on my machine can read the auth script and read the passwords that would be contained within -- those to my MySQL server. All you can do really is store the passwords themselves in an include file that you put in the most secure place possible, preferably not in webspace. But I imagine you have this covered. Yeah, but this is really security through obscurity, not something I'm keen on ;) That's kind of what we're talking about here, though. Keeping a file's contents inaccessible. Is there any way I can have a script that is not readable by a user, while still allowing that user to execute it? Maybe through using a wrapper of some sort? I do not have UFS2 so I cannot use ACLs. Not that I know of, but have you considered compiling apache with suexec? Assuming your other users have seperate logins, this might work. You can have apache execute scripts as the appropriate user, not www. That way, a 700 permission should prevent other users from reading your scripts. I read some stuff about this. I got the impression it required using PHP as a CGI, instead of mod_php. Am I wrong in thinking this? Yes, you can use mod_php with suexec. Makes most sense with virtual hosts, because each host must run as a single user. PWR. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Shell script containing passwords.
On Tue, Feb 10, 2004 at 04:06:37PM +, Lewis Thompson wrote: On Tue, Feb 10, 2004 at 03:56:08PM +, Peter Risdon wrote: snip Not that I know of, but have you considered compiling apache with suexec? Assuming your other users have seperate logins, this might work. You can have apache execute scripts as the appropriate user, not www. That way, a 700 permission should prevent other users from reading your scripts. I read some stuff about this. I got the impression it required using PHP as a CGI, instead of mod_php. Am I wrong in thinking this? The overhead of using PHP as CGI is a little too high because the server is already pretty stretched... Have a look at /usr/ports/www/suphp - be warned though, last time I looked at it the checks it uses to ensure UID 0 scripts aren't executed did not work correctly on FreeBSD. One slightly more complicated option is to rearrange your user/group permissions on a server-wide basis - there's a detailed description in this post: http://lists.freebsd.org/pipermail/freebsd-questions/2003-August/014731.html HTH -- Jez Hancock - System Administrator / PHP Developer http://munk.nu/ http://jez.hancock-family.com/ - Another FreeBSD Diary http://ipfwstats.sf.net/- ipfw peruser traffic logging ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Shell script containing passwords.
On Tue, Feb 10, 2004 at 03:28:14PM +, Lewis Thompson wrote: On Tue, Feb 10, 2004 at 10:12:09AM -0500, Lowell Gilbert wrote: Lewis Thompson [EMAIL PROTECTED] writes: I am worried that because the script must be read/writeable by the Apache user (www) that anybody that can write a PHP script on my machine can read the auth script and read the passwords that would be contained within -- those to my MySQL server. Why would the script be readable or writeable by any user? It only needs to be executable, right? Well, since it's an interpreted script (it's some standalone PHP) in order to execute it, the user must be able to read it. Since the script holds passwds that means that any user with the ability to run it can get the passwds (in my case to access my MySQL server). This is a ``flaw'' with the way Apache works because everything Apache executes must be +rw for the Apache user (www). As a result any person able to write PHP code (all of my users) can read anything that the Apache user can, because mod_php executes as the Apache user. There are security features in PHP (safe_mode) but these conflict with a large number of PHP scripts. I'm trying to work it out this way now but it's a lot of hassle. No need for safe_mode, set php_admin_value open_basedir /www/dir/to/user/ in your vhost config, add if desired /tmp/phpupload/:/tmp/phpsession/ suphp doesn't work with mod_php AFAIR Keep in mind: users (CGI scripts as well) can still browse into other user directories unless you force them into one group (e.g. users), home to 705 and use SuEXEC. HTH -- Robert Barten ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Shell script containing passwords.
On Tue, Feb 10, 2004 at 05:52:17PM +0100, Robert Barten wrote: No need for safe_mode, set php_admin_value open_basedir /www/dir/to/user/ in your vhost config, add if desired /tmp/phpupload/:/tmp/phpsession/ Yes, I've looked at this. However, I want to use userdir=public_html for serving PHP from people's public_html dir in their home dir. This doesn't seem compatible with open_basedir (open_basedir=/home/*/public_html doesn't work) and I can't find any other way to do it. Thanks a lot, -lewiz. -- I was so much older then, I'm younger than that now. --Bob Dylan, 1964. -| msn:[EMAIL PROTECTED] | jabber:[EMAIL PROTECTED] | url:www.lewiz.org |- pgp0.pgp Description: PGP signature
Re: Shell script containing passwords.
On Tuesday 10 February 2004 09:28 am, Lewis Thompson wrote: On Tue, Feb 10, 2004 at 10:12:09AM -0500, Lowell Gilbert wrote: Lewis Thompson [EMAIL PROTECTED] writes: I am worried that because the script must be read/writeable by the Apache user (www) that anybody that can write a PHP script on my machine can read the auth script and read the passwords that would be contained within -- those to my MySQL server. Why would the script be readable or writeable by any user? It only needs to be executable, right? Well, since it's an interpreted script (it's some standalone PHP) in order to execute it, the user must be able to read it. Since the script holds passwds that means that any user with the ability to run it can get the passwds (in my case to access my MySQL server). This is a ``flaw'' with the way Apache works because everything Apache executes must be +rw for the Apache user (www). As a result any person able to write PHP code (all of my users) can read anything that the Apache user can, because mod_php executes as the Apache user. There are security features in PHP (safe_mode) but these conflict with a large number of PHP scripts. I'm trying to work it out this way now but it's a lot of hassle. Thanks for your response, -lewiz. Check the syntax for the .htaccess files in the httpd.conf file. This is a file that must be non-readable by regular users via php, but apache has a filter written within the httpd.conf file to disallow access. I know it's about 3/4 of the way down the page. HTH -- Eric F Crist AdTech Integrated Systems, Inc (612) 998-3588 pgp0.pgp Description: signature
Re: Shell script containing passwords.
On Tue, Feb 10, 2004 at 09:41:22AM -0600, Eric F Crist wrote: Check the syntax for the .htaccess files in the httpd.conf file. This is a file that must be non-readable by regular users via php, but apache has a filter written within the httpd.conf file to disallow access. I know it's about 3/4 of the way down the page. Am I correct in assuming you mean set this sort of security up for the files I wish to protect? -lewiz. -- I was so much older then, I'm younger than that now. --Bob Dylan, 1964. -| msn:[EMAIL PROTECTED] | jabber:[EMAIL PROTECTED] | url:www.lewiz.org |- pgp0.pgp Description: PGP signature
RE: Shell script containing passwords.
yes Eric F Crist President AdTech Integrated Systems, Inc (612) 998-3588 -Original Message- From: Lewis Thompson [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 10, 2004 11:24 AM To: Eric F Crist Cc: [EMAIL PROTECTED]; Lowell Gilbert Subject: Re: Shell script containing passwords. On Tue, Feb 10, 2004 at 09:41:22AM -0600, Eric F Crist wrote: Check the syntax for the .htaccess files in the httpd.conf file. This is a file that must be non-readable by regular users via php, but apache has a filter written within the httpd.conf file to disallow access. I know it's about 3/4 of the way down the page. Am I correct in assuming you mean set this sort of security up for the files I wish to protect? -lewiz. -- I was so much older then, I'm younger than that now. --Bob Dylan, 1964. -| msn:[EMAIL PROTECTED] | jabber:[EMAIL PROTECTED] | url:www.lewiz.org |- ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
