From owner-freebsd-questions@FreeBSD.ORG Tue Feb 10 08:52:23 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D67BA16A4CE for ; Tue, 10 Feb 2004 08:52:23 -0800 (PST) Received: from octopus.fizon.de (housing74.bytecamp.net [212.204.60.74]) by mx1.FreeBSD.org (Postfix) with ESMTP id 40DEE43D1D for ; Tue, 10 Feb 2004 08:52:23 -0800 (PST) (envelope-from rb@octopus.fizon.de) Received: from octopus.fizon.de (localhost.fizon.de [127.0.0.1]) by octopus.fizon.de (8.12.10/8.12.10) with ESMTP id i1AGqH9N098207; Tue, 10 Feb 2004 17:52:17 +0100 (CET) (envelope-from rb@octopus.fizon.de) Received: (from rb@localhost) by octopus.fizon.de (8.12.10/8.12.8/Submit) id i1AGqHjj098206; Tue, 10 Feb 2004 17:52:17 +0100 (CET) Date: Tue, 10 Feb 2004 17:52:17 +0100 From: Robert Barten To: Lewis Thompson Message-ID: <20040210165217.GA98004@octopus> References: <20040209233743.GA58010@lewiz.org> <44isifarzq.fsf@be-well.ilk.org> <20040210152813.GA40727@lewiz.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040210152813.GA40727@lewiz.org> User-Agent: Mutt/1.4.1i cc: freebsd-questions@freebsd.org Subject: Re: Shell script containing passwords. X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Feb 2004 16:52:24 -0000 On Tue, Feb 10, 2004 at 03:28:14PM +0000, Lewis Thompson wrote: > On Tue, Feb 10, 2004 at 10:12:09AM -0500, Lowell Gilbert wrote: > > Lewis Thompson writes: > > > > > I am worried that because the script must be read/writeable by the > > > Apache user (www) that anybody that can write a PHP script on my machine > > > can read the auth script and read the passwords that would be contained > > > within -- those to my MySQL server. > > > > Why would the script be readable or writeable by any user? > > It only needs to be executable, right? > > Well, since it's an interpreted script (it's some standalone PHP) in > order to execute it, the user must be able to read it. Since the script > holds passwds that means that any user with the ability to run it can > get the passwds (in my case to access my MySQL server). > > This is a ``flaw'' with the way Apache works because everything Apache > executes must be +rw for the Apache user (www). As a result any person > able to write PHP code (all of my users) can read anything that the > Apache user can, because mod_php executes as the Apache user. > > There are security features in PHP (safe_mode) but these conflict with > a large number of PHP scripts. I'm trying to work it out this way now > but it's a lot of hassle. No need for safe_mode, set php_admin_value open_basedir "/www/dir/to/user/" in your vhost config, add if desired /tmp/phpupload/:/tmp/phpsession/ suphp doesn't work with mod_php AFAIR Keep in mind: users (CGI scripts as well) can still browse into other user directories unless you force them into one group (e.g. users), home to 705 and use SuEXEC. HTH -- Robert Barten