Our php users run their scripts under their own username. this requires the performance hit of treating php like any other cgi script (no mod_php) but they are on a shared server because they are a low volume site.
On Sun, 11 Nov 2001, Peter Lovatt wrote: > Date: Sun, 11 Nov 2001 10:20:11 -0000 > From: Peter Lovatt <[EMAIL PROTECTED]> > To: Tim Hewitt <[EMAIL PROTECTED]>, [EMAIL PROTECTED] > Subject: RE: Securing username and password in script file > > I don't think there is a secure way of running php on a shared server. > > I have a dedicated server which uses this 'property' to have a single shared > php codebase for about 20 domains and subdomains. > > I looked at ways of securing it but, fundamentally, php under apache runs > the same user for everyone, so if anyone can read the config file, everyone > can, if they know where it is. > > Not sure if php under cgi runs as the user. > > If you could configure the webserver to run as the user (and so different > for each domain) rather than nobody this would cure it. Don't know if this > is possible. > > This is a problem which could do with addressing really. Any thoughts > anybody? > > Peter > > > > -----Original Message----- > > From: Tim Hewitt [mailto:[EMAIL PROTECTED]] > > Sent: 11 November 2001 01:32 > > To: [EMAIL PROTECTED] > > Subject: Securing username and password in script file > > > > > > How does one go about securing database access username and password > > information that's kept in a script's config file? > > > > Most of the PHP and Perl applications floating around Sourceforge, as > > well as most of the commercially available scripts, store the database > > access username and password in a config file. This can be called > > anything, and can be kept either inside or outside the htdocs area on > > website. It doesn't matter for my example. > > > > This file needs to be readable by the process running the web server > > (typically nobody on Linux shared servers running Apache). > > > > Once I know where this file is stored by the application relative to the > > user's root directory, and it's name, on most if not all the shared > > server configurations hosting websites around the world, I can simply > > open the file using the pathname to the file and read and display it, or > > require it and then display the username and password variables, etc. > > This of course I'm doing from another user account on the server. > > > > In the case of a popular forum script written in PHP, I was able to > > discover more than one other config file on my server and read it's > > contents. I notified the owner of the site that I was able to do this, > > however I had no suggestions for him to protect his information from > > anyone else who might want to do the same. > > > > In a shared server environment where the files must be readable by the > > webserver process, and there is one web server "user" on the shared > > server, how can you protect this information? Are you simply screwed? > > If so, than much of the world is screwed... > > > > Any ideas on how to secure this situation? > > > > Thanks, > > > > -Tim > > > > > > --------------------------------------------------------------------- > > Before posting, please check: > > http://www.mysql.com/manual.php (the manual) > > http://lists.mysql.com/ (the list archive) > > > > To request this thread, e-mail <[EMAIL PROTECTED]> > > To unsubscribe, e-mail > > <[EMAIL PROTECTED]> > > Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php > > > --------------------------------------------------------------------- > Before posting, please check: > http://www.mysql.com/manual.php (the manual) > http://lists.mysql.com/ (the list archive) > > To request this thread, e-mail <[EMAIL PROTECTED]> > To unsubscribe, e-mail <[EMAIL PROTECTED]> > Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php > Sincerely, William Mussatto, Senior Systems Engineer CyberStrategies, Inc ph. 909-920-9154 ext. 27 --------------------------------------------------------------------- Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail <[EMAIL PROTECTED]> To unsubscribe, e-mail <[EMAIL PROTECTED]> Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
