Date: Tue, 10 Feb 2004 17:52:17 +0100 From: Robert Barten <robert@barok.de> To: Lewis Thompson <purple@lewiz.net> Cc: freebsd-questions@freebsd.org Subject: Re: Shell script containing passwords. Message-ID: <20040210165217.GA98004@octopus> In-Reply-To: <20040210152813.GA40727@lewiz.org> References: <20040209233743.GA58010@lewiz.org> <44isifarzq.fsf@be-well.ilk.org> <20040210152813.GA40727@lewiz.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Feb 10, 2004 at 03:28:14PM +0000, Lewis Thompson wrote: > On Tue, Feb 10, 2004 at 10:12:09AM -0500, Lowell Gilbert wrote: > > Lewis Thompson <purple@lewiz.net> writes: > > > > > I am worried that because the script must be read/writeable by the > > > Apache user (www) that anybody that can write a PHP script on my machine > > > can read the auth script and read the passwords that would be contained > > > within -- those to my MySQL server. > > > > Why would the script be readable or writeable by any user? > > It only needs to be executable, right? > > Well, since it's an interpreted script (it's some standalone PHP) in > order to execute it, the user must be able to read it. Since the script > holds passwds that means that any user with the ability to run it can > get the passwds (in my case to access my MySQL server). > > This is a ``flaw'' with the way Apache works because everything Apache > executes must be +rw for the Apache user (www). As a result any person > able to write PHP code (all of my users) can read anything that the > Apache user can, because mod_php executes as the Apache user. > > There are security features in PHP (safe_mode) but these conflict with > a large number of PHP scripts. I'm trying to work it out this way now > but it's a lot of hassle. No need for safe_mode, set php_admin_value open_basedir "/www/dir/to/user/" in your vhost config, add if desired /tmp/phpupload/:/tmp/phpsession/ suphp doesn't work with mod_php AFAIR Keep in mind: users (CGI scripts as well) can still browse into other user directories unless you force them into one group (e.g. users), home to 705 and use SuEXEC. HTH -- Robert Barten
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040210165217.GA98004>