Apache supports running cgi scripts as a designated user on a virtual host basis (only key is the files can be writable by ONLY the USER not his GROUP (toe badly stubbed making this mistake). However, why doesn't the isp create a separate mysql user for each client's database and restrict permissions that way?
On Fri, 9 Nov 2001, Kodrik wrote: > Date: Fri, 9 Nov 2001 06:13:56 -0800 > From: Kodrik <[EMAIL PROTECTED]> > To: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>, [EMAIL PROTECTED] > Cc: [EMAIL PROTECTED] > Subject: Re: Keeping SQL dbs separated > > > The guy passed this request to the hosting company (which he doesn't > > want to change) and the answer is: > > > > if you *really* need to use PHP instead of ASP OK, but as far as MySQL > > is concerned we only have one customer using it now, and if we gave it > > to you too, then the two databases would be visible and writeable to > > each other users.. unless *your* new webmaster programs our MySQL by > > himself to avoid this problem. > > That is one of the problem with most Virtual Hosting. > The web server user is the often same for all users so you can use a > scripting language to look at the files of other people's website. I'm > talking about Unix/Apache server because it is what I know, but you can > extrapolate to NT. > For a script to access a database, it needs to write the connection > on the files, and any other virtual user will therefore be able to see those > files using php or asp. > So any other user can read all access codes and duplicate them temselves. > Which means having the same access to the database the other user has. > You will also be able to write scripts to remove/add/modify any files that > have the web server's permission. > Worst, if your host gives a similar access code to your DB and FTP (which is > often the case), you will be able to know your ftp user and pass. > I must stress that this is not a MySQL issue, it is valid with any other > database. > I do work for various customers on various hosting systems and I must say > that security within virtual hosting company is horrific between sites, > regardless of OS. > >From their comment it seems their server is insecure although Microsoft has > blinded them in a sense of false security and warned them about "Open Source". > > The first thing you shoudl do is ask them how could you see the other > person's db if you have different privileges. If they are able to answer this > question and it makes sense; ask them why it isn't an issue on their MS > server. > I doubt they will answer well to those questions and you will have a > extremelly valid point to request your customer to change provider: Security! > regardless of the DB and script used. > > > > > > > > > Now, leaving apart every comment on the quality of this ISP, what > > should I do on their server to make it so that I can indeed set my > > customer's PHP/MySQL pages without screwing anything up? I can usually > > find my way enough about MySQL, but this situation is entirely new to > > me. As a matter of fact, until yesterday I would have thought that it is > > more difficult to set up Mysql like this (or find real people doing > > it) than the other way around.. > > > > TIA, > > mweb > > > > > > --------------------------------------------------------------------- > > Before posting, please check: > > http://www.mysql.com/manual.php (the manual) > > http://lists.mysql.com/ (the list archive) > > > > To request this thread, e-mail <[EMAIL PROTECTED]> > > To unsubscribe, e-mail <[EMAIL PROTECTED]> > > Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php > > --------------------------------------------------------------------- > Before posting, please check: > http://www.mysql.com/manual.php (the manual) > http://lists.mysql.com/ (the list archive) > > To request this thread, e-mail <[EMAIL PROTECTED]> > To unsubscribe, e-mail <[EMAIL PROTECTED]> > Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php > Sincerely, William Mussatto, Senior Systems Engineer CyberStrategies, Inc ph. 909-920-9154 ext. 27 --------------------------------------------------------------------- Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail <[EMAIL PROTECTED]> To unsubscribe, e-mail <[EMAIL PROTECTED]> Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php