[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] Where to put PHP database connection info fileon RaQ3?
- Subject: Re: [cobalt-users] Where to put PHP database connection info fileon RaQ3?
- From: "Steve Werby" <steve-lists@xxxxxxxxxxxx>
- Date: Fri Nov 2 06:25:01 2001
- Organization: Befriend Internet Services LLC
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
"Clark E. Morgan" <cmorgan@xxxxxxxxxxxxxxxxx> wrote:
> PHP installed and run as a dso can read and write any appropriately
> permissioned file placed anywhere on the system. The new version of
> Phorum does this by default and I've modified phpMyAdmin to behave
> similarly, as well as all my original work.
>
> There's a very good article about this process and how it can be used to
> secure the installation of php and php apps at:
>
> http://www.onlamp.com/lpt/a/php/2001/03/29/php_admin.html
It's interesting how the article didn't even mention PHP's open_basedir
configuration directive, but you and the article are correct that these
directives can be used to tighten security on PHP scripts. However, the
solution does nothing to prevent shell users and scripts in other languages
(Perl, Python, C, etc.) and owned by other sites' users from accessing the
same files. To do so would require the permission of the files to *not* be
world-readable, but then PHP (as run by Apache) cannot read them. Or so it
seems to me unless I'm missing something. If you know of a solution to get
around this let us know!
--
Steve Werby
President, Befriend Internet Services LLC
http://www.befriend.com/