I don't think there is a secure way of running php on a shared server. I have a dedicated server which uses this 'property' to have a single shared php codebase for about 20 domains and subdomains.
I looked at ways of securing it but, fundamentally, php under apache runs the same user for everyone, so if anyone can read the config file, everyone can, if they know where it is. Not sure if php under cgi runs as the user. If you could configure the webserver to run as the user (and so different for each domain) rather than nobody this would cure it. Don't know if this is possible. This is a problem which could do with addressing really. Any thoughts anybody? Peter > -----Original Message----- > From: Tim Hewitt [mailto:[EMAIL PROTECTED]] > Sent: 11 November 2001 01:32 > To: [EMAIL PROTECTED] > Subject: Securing username and password in script file > > > How does one go about securing database access username and password > information that's kept in a script's config file? > > Most of the PHP and Perl applications floating around Sourceforge, as > well as most of the commercially available scripts, store the database > access username and password in a config file. This can be called > anything, and can be kept either inside or outside the htdocs area on > website. It doesn't matter for my example. > > This file needs to be readable by the process running the web server > (typically nobody on Linux shared servers running Apache). > > Once I know where this file is stored by the application relative to the > user's root directory, and it's name, on most if not all the shared > server configurations hosting websites around the world, I can simply > open the file using the pathname to the file and read and display it, or > require it and then display the username and password variables, etc. > This of course I'm doing from another user account on the server. > > In the case of a popular forum script written in PHP, I was able to > discover more than one other config file on my server and read it's > contents. I notified the owner of the site that I was able to do this, > however I had no suggestions for him to protect his information from > anyone else who might want to do the same. > > In a shared server environment where the files must be readable by the > webserver process, and there is one web server "user" on the shared > server, how can you protect this information? Are you simply screwed? > If so, than much of the world is screwed... > > Any ideas on how to secure this situation? > > Thanks, > > -Tim > > > --------------------------------------------------------------------- > Before posting, please check: > http://www.mysql.com/manual.php (the manual) > http://lists.mysql.com/ (the list archive) > > To request this thread, e-mail <[EMAIL PROTECTED]> > To unsubscribe, e-mail > <[EMAIL PROTECTED]> > Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php --------------------------------------------------------------------- Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail <[EMAIL PROTECTED]> To unsubscribe, e-mail <[EMAIL PROTECTED]> Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
