> abt the problem: have you tried to keep the passwd in a text file (chmod
> 600) .. then get your php script to read the text file; (btw for this to
> work you have to mail the server admin (bhavin) and ask him to chown
> nobody:nobody filename.txt for you.
Still, I could make a CGI script which could simply read the password file
when invoked through the web-server (obviously, with nobody permissions)
Worse still, I can make my CGI program MODIFY that file!!!
This is strictly a no-no situation!
> Ofcourse it will be rather irritating to modify this file......
Hmmmm ... as you can see, it's very easy to modify this file. Better
still, anyone can do it!
Well, security is a very tricky issue, and we need to be very careful
before thinking about _any_ solution. There could still be loopholes ...
and worse at that!
> The real solution is something called virtual root; Man chroot to read all
> about it...
> No lowcost webhoster in the world provides this facility though.
But that's still a very tricky thing. Hard to understand and setup. And,
if something is tricky, chances are that you might leave loopholes still!
Another (high-cost, in terms of processing resources as well as money, for
the service provider will ask for more) solution is to start a dedicated
web-server on some other port with your own user-id for all
database-transaction related things.
The caveat is this. If there is some bug in the web-server (of which I've
never heard for quite some time now), then YOUR data (and all of it) will
be compromised.
> There's yet another solution that I had explored... you have to write
> a wrapper that will execute httpd with the pid of the user;
Yes. I've heard about this. But have no ideas .... Anyone for enlightening
us?
regards,
jaju
To subscribe / unsubscribe goto the site www.ilug-bom.org ., click on the mailing list
button and fill the appropriate information
and submit. For any other queries contact the ML maintener
