From owner-freebsd-questions@FreeBSD.ORG Tue Feb 10 07:26:33 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C7BD816A520 for ; Tue, 10 Feb 2004 07:26:32 -0800 (PST) Received: from deluge.umist.ac.uk (deluge.umist.ac.uk [130.88.120.66]) by mx1.FreeBSD.org (Postfix) with ESMTP id 76B9B43D1D for ; Tue, 10 Feb 2004 07:26:32 -0800 (PST) (envelope-from lewiz@red.lewiz.org) Received: from lh014.halls.umist.ac.uk ([130.88.163.14] helo=yellow.lewiz.org) by deluge.umist.ac.uk with esmtp (Exim 4.24) id 1AqZmR-0001fy-81; Tue, 10 Feb 2004 15:26:31 +0000 Received: from red.lewiz.org ([192.168.0.4]) by mail.lewiz.org with smtp (Exim 4.30; FreeBSD) id 1AqZo7-000BKo-Jz; Tue, 10 Feb 2004 15:28:15 +0000 Received: (nullmailer pid 43572 invoked by uid 4001); Tue, 10 Feb 2004 15:28:14 -0000 Date: Tue, 10 Feb 2004 15:28:14 +0000 From: Lewis Thompson To: Lowell Gilbert Message-ID: <20040210152813.GA40727@lewiz.org> Mail-Followup-To: Lewis Thompson , Lowell Gilbert , freebsd-questions@freebsd.org References: <20040209233743.GA58010@lewiz.org> <44isifarzq.fsf@be-well.ilk.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="OgqxwSJOaUobr8KG" Content-Disposition: inline In-Reply-To: <44isifarzq.fsf@be-well.ilk.org> X-GPG-Fingerprint: 90A4 939E 3847 A3E4 8103 2A48 22DA B428 542F ED3F X-GPG-Info: http://www.lewiz.org/~lewiz/pgpkey / horowitz.surfnet.nl User-Agent: Mutt/1.5.6i X-MailScanner-Information: Please contact the ISP for more information X-MailScanner: Found to be clean cc: freebsd-questions@freebsd.org Subject: Re: Shell script containing passwords. X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Feb 2004 15:26:33 -0000 --OgqxwSJOaUobr8KG Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Feb 10, 2004 at 10:12:09AM -0500, Lowell Gilbert wrote: > Lewis Thompson writes: >=20 > > I am worried that because the script must be read/writeable by the > > Apache user (www) that anybody that can write a PHP script on my machine > > can read the auth script and read the passwords that would be contained > > within -- those to my MySQL server. >=20 > Why would the script be readable or writeable by any user? =20 > It only needs to be executable, right? Well, since it's an interpreted script (it's some standalone PHP) in order to execute it, the user must be able to read it. Since the script holds passwds that means that any user with the ability to run it can get the passwds (in my case to access my MySQL server). This is a ``flaw'' with the way Apache works because everything Apache executes must be +rw for the Apache user (www). As a result any person able to write PHP code (all of my users) can read anything that the Apache user can, because mod_php executes as the Apache user. There are security features in PHP (safe_mode) but these conflict with a large number of PHP scripts. I'm trying to work it out this way now but it's a lot of hassle. Thanks for your response, -lewiz. --=20 I was so much older then, I'm younger than that now. --Bob Dylan, 1964. ------------------------------------------------------------------------ -| msn:purple@lewiz.net | jabber:lewiz@jabber.org | url:www.lewiz.org |- --OgqxwSJOaUobr8KG Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFAKPiNItq0KFQv7T8RAjZPAJwPVUcg9aW/nPpSH0Y/FYAcPq2o0QCgoKud VSdSU/65+FZZxkkvzOyvQPA= =SG7o -----END PGP SIGNATURE----- --OgqxwSJOaUobr8KG--