From: Joachim Schipper (j.schippermath.uu.nl)
Date: Tue Mar 01 2005 - 18:26:20 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Mar 01, 2005 at 07:54:12PM +0200, raT wrote:
> Hello i have a web server and i have a major problem
>
> some of my users are trying to find my pass for my mysql database.
>
> the first thing they do is a
> system ('cat /var/www/path to config file');
> inside a php script
>
> my problem is to deny this file from being read throu the script since
> the apache deamon runs as nobody
> and it has to have read permision to the configuration file.
>
> my users have shell acount and can create files in the public_html folder.
> any help?
> snif!
>
> thanks in advance.

The Apache docs seem to recommend using suExec (not sure about
capitalization). Why not go with that? (Just remember that mod_php isn't
inhibited - you'll want true CGI. Same goes for mod_perl, mod_python,
etc, by the way.)

Yes, suExec is a bother to set up. PHP's safe mode offers some of the
same safeguards, but I do not know enough about it and would recommend
reading up on it a lot before entrusting your security to it. It's
better performance-wise than suExec, though.

Not running Apache as the - actually rather powerful - nobody user and
not leaving sensitive passwords in any file on the system might be good
ideas, too, depending on your particular layout. Don't forget to
disallow overriding your configuration in .htaccess files, too.

                Joachim

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]