> Major security question:
>
> I manage a shared Linux web server running PHP 4.2.3. Apache must have
> read permissions on a php file necessary for a web application. For
> example a conf.php file containing a MySQL password that is stored
> outside the web directory:
>
> -rw-r----- 1 q apache 3522 Oct 17 06:39 conf.php
>
> Because this file is readable by apache, ANY user on the server can
write
> the following script:
>
> <? print_r(file('/home/q/conf.php')); ?>
>
> which upon execution the conf.php file will be read by apache and
exposed
> to the user.
>
> Example understood?
>
> How can a file be secured so it can still be used by apache, but
> inaccessable by any other user? Is there a PHP ini configuration to
force
> apache to run as the user that is the owner of the php files being
> executed?
Either turn on safe_mode or use the CGI instead of the module.
---John W. Holmes...
PHP Architect - A monthly magazine for PHP Professionals. Get your copy
today. http://www.phparch.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
