On Tuesday 23 October 2001 12:29, Chris Lee wrote: > I use proftpd, I can setup a chroot for the user that logs in, chroot them > to their vhosts dir, move the mysql passwd file out of that dir. now anyone > that ftp's in can not read the passwd. as for telnet (shell) access, its > rare a user needs that anyhow, if you feel your customers do need that, > well its your choice to offer them the security risk or not. I just tell > our customers, "sorry, nope, to big of a security risk.", I have yet to > have one complain so badly they switch hosting services.
Sorry -- but you're wrong. If you've got php loaded as an apache module in a shared hosting environment, then any file that apache can read, I can gain access to through a simple FTP account and a well-constructed php file using fopen(). Doesn't matter if that file resides within my vhosts dir or not. I may have to guess at the path a bit, but that's fairly trivial. The only way to protect a file in a shared hosting environment is to use something similar to php-cgiwrap which allows you to chmod the file to remove group/world read access. (If someone knows of another way to do this using the apache php module, please let me (and my ISP) know) Regarding shell access being a "security risk", ssh is far, far more secure than FTP can ever hope to be. This is straying off-topic, so we should probably take further discussions offline. Feel free to email me directly if you have questions/disagreements. --kurt -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
