hi...
>AOLserver uses a tcl API -- those files (*.tcl and *.adp) are also
>chmod'd 600, as AOLserver does its own interpreting -- php may need
>execute permission; I don't know.
no, no special priveleges are needed for php, as long as they are readable
by the web server, as all the interp happens within the server.
we've been running a very complex site using pgsql (6.5 is a god), apache
and php and find it to be stable, fast and reliable. security so far has
been good, and we've followed the exact steps (more or less) that Lamar
outlined he used.
turning off the ability for pgsql to accept internet socket connections,
is, imho, a good idea also if the web server is on the same machine. no
need to open a door when it isn't needed.
a lot of security issues are either raised or made solid by how
PHP/tcl/whatever you are using to provide interaction between user/web
server/database are written. you largest security hole possibilities lie
within poor coding of those scripts.
just be careful scripting. that can't be emphasized enough.
i.e. with our implementation, users can never actually delete anything. in
the few places they can cause a deletion in the database, it is ONLY to
their own data and even then, if they are playing with information that has
been made "permanent" they either can NOT delete it, or if they can, a copy
is made to a "garbage" table for later clean-up by an authorized individual
in the company.
paranoia is good. pgsql is even better. go 'phants!
Aaron J. Seigo
Systems Analyst/Administrator
