Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 3 Feb 2005 04:46:44 -0700 (MST)
From:      Technical Director <technical@ultratrends.com>
To:        Ted Mittelstaedt <tedm@toybox.placo.com>
Cc:        Technical Director <technical@ultratrends.com>
Subject:   RE: Access denied for user 'root'@'localhost' (using password: NO)
Message-ID:  <20050203043020.Q65437@server1.ultratrends.com>
In-Reply-To: <LOBBIFDAGNMAMLGJJCKNMEDGFAAA.tedm@toybox.placo.com>
References:  <LOBBIFDAGNMAMLGJJCKNMEDGFAAA.tedm@toybox.placo.com>

next in thread | previous in thread | raw e-mail | index | archive | help

On Thu, 3 Feb 2005, Ted Mittelstaedt wrote:

> Do you run php database driven apps on the same server as you use to
> provide shell services?  I don't.  If the webserver is configured
> right it won't allow remote clients to read the scripts, only execute
> them.

Ted,

Shared hosting sites, in my experience anyways which I will grant doesn't
mean much, is that your ftp access gives you:

-rw-r--r-- {$your_name} {$web_group} somefile.php

where {$web_group} is a common group that everyone belongs to and other
is always readable just cause it's easier leaving the file/directory mask
as is.

Meaning that if you can cd to some other users dir you can read that file.

As well, in the case of php at least, web use of php does not require the
execute bit to be set at all, only the read bit.

Again I speak for web use php scripts.

Rob.

> > -----Original Message-----
> > Subject: Re: Access denied for user 'root'@'localhost' (using password:
> > NO)
> >
> >
> >
> > Positive Negative,
> >
> > You might seriously consider not using 'root@localhost' as
> > well
>
> I would bet 10 to 1 that he's installing an application that already
> is designed NOT to use the mysql root user to access it's database.
> This is a case of someone who isn't understanding the design of
> the app he's setting up.  It worked only because he was running an
> out-of-box sql server install which had nothing for a root password.
> He probably misread the instructions and used root instead of the
> username that he was supposed to use.
>
> > since most
> > php scripts read the username/password information in clear text on a
> > nobody:nobody read filesystem. IOW other people can read your files.
> >
>
> Do you run php database driven apps on the same server as you use to
> provide shell services?  I don't.  If the webserver is configured
> right it won't allow remote clients to read the scripts, only execute
> them.
>
> Ted
>



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050203043020.Q65437>