Date: Tue, 10 Feb 2004 09:41:22 -0600 From: Eric F Crist <ecrist@adtechintegrated.com> To: freebsd-questions@freebsd.org Cc: Lowell Gilbert <freebsd-questions-local@be-well.ilk.org> Subject: Re: Shell script containing passwords. Message-ID: <200402100941.29717.ecrist@adtechintegrated.com> In-Reply-To: <20040210152813.GA40727@lewiz.org> References: <20040209233743.GA58010@lewiz.org> <44isifarzq.fsf@be-well.ilk.org> <20040210152813.GA40727@lewiz.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--Boundary-02=_puPKAcHhfPlLtRu Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Tuesday 10 February 2004 09:28 am, Lewis Thompson wrote: > On Tue, Feb 10, 2004 at 10:12:09AM -0500, Lowell Gilbert wrote: > > Lewis Thompson <purple@lewiz.net> writes: > > > I am worried that because the script must be read/writeable by the > > > Apache user (www) that anybody that can write a PHP script on my > > > machine can read the auth script and read the passwords that would be > > > contained within -- those to my MySQL server. > > > > Why would the script be readable or writeable by any user? > > It only needs to be executable, right? > > Well, since it's an interpreted script (it's some standalone PHP) in > order to execute it, the user must be able to read it. Since the script > holds passwds that means that any user with the ability to run it can > get the passwds (in my case to access my MySQL server). > > This is a ``flaw'' with the way Apache works because everything Apache > executes must be +rw for the Apache user (www). As a result any person > able to write PHP code (all of my users) can read anything that the > Apache user can, because mod_php executes as the Apache user. > > There are security features in PHP (safe_mode) but these conflict with > a large number of PHP scripts. I'm trying to work it out this way now > but it's a lot of hassle. > > Thanks for your response, > > -lewiz. Check the syntax for the .htaccess files in the httpd.conf file. This is a= =20 file that must be non-readable by regular users via php, but apache has a=20 filter written within the httpd.conf file to disallow access. I know it's= =20 about 3/4 of the way down the page. HTH =2D-=20 Eric F Crist AdTech Integrated Systems, Inc (612) 998-3588 --Boundary-02=_puPKAcHhfPlLtRu Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQBAKPupzdyDbTMRQIYRAjlPAJ4/IwQjJw4IvGd/FVOdB6131W2nDQCePPG2 G/51AhgxACpAu2l1WmyStAo= =xFo3 -----END PGP SIGNATURE----- --Boundary-02=_puPKAcHhfPlLtRu--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200402100941.29717.ecrist>