Date: Fri, 4 Feb 2005 01:50:34 -0800 From: "Ted Mittelstaedt" <tedm@toybox.placo.com> To: "Technical Director" <technical@ultratrends.com> Cc: freebsd-questions@freebsd.org Subject: RE: Access denied for user 'root'@'localhost' (using password: NO) Message-ID: <LOBBIFDAGNMAMLGJJCKNGEDPFAAA.tedm@toybox.placo.com> In-Reply-To: <20050203043020.Q65437@server1.ultratrends.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> -----Original Message----- > From: owner-freebsd-questions@freebsd.org > [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Technical > Director > Sent: Thursday, February 03, 2005 3:47 AM > To: Ted Mittelstaedt > Cc: Positive Negative; freebsd-questions@freebsd.org; > Technical Director > Subject: RE: Access denied for user 'root'@'localhost' (using password: > NO) > > > > On Thu, 3 Feb 2005, Ted Mittelstaedt wrote: > > > Do you run php database driven apps on the same server as you use to > > provide shell services? I don't. If the webserver is configured > > right it won't allow remote clients to read the scripts, only execute > > them. > > Ted, > > Shared hosting sites, in my experience anyways which I will > grant doesn't > mean much, is that your ftp access gives you: > > -rw-r--r-- {$your_name} {$web_group} somefile.php > > where {$web_group} is a common group that everyone belongs to and other > is always readable just cause it's easier leaving the > file/directory mask > as is. > Yes I see. I might also submit that the ISP dumb enough to give a customer the root userID and password on the mysql server that they are running on that shared server deserves what they get. > Meaning that if you can cd to some other users dir you can > read that file. > > As well, in the case of php at least, web use of php does not > require the > execute bit to be set at all, only the read bit. > Yes, that is a good point - but I wasn't referring to that though. The webserver should know that if it's got a .php extension that it's supposed to run the file, not give it out plaintext to some remote bozo with a web browser. > Again I speak for web use php scripts. > It is true that if you have a shared server setup with php, and you are selling/giving/whatever customer access to php on this server, that a customer foolish enough to have a php script setup world-readable that has his database name and userID and password in it, is basically allowing any other customer that has access to this server, access to his database. And that other customer through ignorance or malice could wipe out the first customers data. Of course, this doesen't compromise any other customers database on that mysql server a we are presuming that the ISP has issued individual userID's and passwords for each database to every customer. (NOT the root password) Speaking as an ISP I would say if this happened to one of our customers I would pretty much have the attitude of "too bad, not our problem" as this would have meant that the customer with the trashed database would have not actually bothered to read the information packet we gave to him when he first requested php access on his shared site. I think most other ISPs would have the same attitude. We're a nasty bunch. To me, "root@localhost" pretty much implied that the poster was managing the mysql server. I cannot imagine him having this kind of access on a shared server. (at least, not on one that was run by any halfway competent ISP that is) Actually as a point of fact about once a quarter I have a customer e-mail me that he thinks that we must not have any security on our shared webserver since he can do a cd ../ then ls -l and see everyone's files. (we give shell access on some of our shared webservers) That is the time I explain that it's really none of our business if a customer chooses to exercise their right to NOT change the permissions bits on their files. That usually quiets the smart guy down espically after I explain that he's quite obviously chosen not to change the permissions bits on his own files as well. :-) Ted
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?LOBBIFDAGNMAMLGJJCKNGEDPFAAA.tedm>