> Major security question: > > I manage a shared Linux web server running PHP 4.2.3. Apache must have > read permissions on a php file necessary for a web application. For > example a conf.php file containing a MySQL password that is stored > outside the web directory: > > -rw-r----- 1 q apache 3522 Oct 17 06:39 conf.php > > Because this file is readable by apache, ANY user on the server can write > the following script: > > <? print_r(file('/home/q/conf.php')); ?> > > which upon execution the conf.php file will be read by apache and exposed > to the user. > > Example understood? > > How can a file be secured so it can still be used by apache, but > inaccessable by any other user? Is there a PHP ini configuration to force > apache to run as the user that is the owner of the php files being > executed?
Either turn on safe_mode or use the CGI instead of the module. ---John W. Holmes... PHP Architect - A monthly magazine for PHP Professionals. Get your copy today. http://www.phparch.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php