Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 10 Feb 2004 15:28:14 +0000
From:      Lewis Thompson <purple@lewiz.net>
To:        Lowell Gilbert <freebsd-questions-local@be-well.ilk.org>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: Shell script containing passwords.
Message-ID:  <20040210152813.GA40727@lewiz.org>
In-Reply-To: <44isifarzq.fsf@be-well.ilk.org>
References:  <20040209233743.GA58010@lewiz.org> <44isifarzq.fsf@be-well.ilk.org>

next in thread | previous in thread | raw e-mail | index | archive | help

--OgqxwSJOaUobr8KG
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Feb 10, 2004 at 10:12:09AM -0500, Lowell Gilbert wrote:
> Lewis Thompson <purple@lewiz.net> writes:
>=20
> >   I am worried that because the script must be read/writeable by the
> > Apache user (www) that anybody that can write a PHP script on my machine
> > can read the auth script and read the passwords that would be contained
> > within -- those to my MySQL server.
>=20
> Why would the script be readable or writeable by any user? =20
> It only needs to be executable, right?

Well, since it's an interpreted script (it's some standalone PHP) in
order to execute it, the user must be able to read it.  Since the script
holds passwds that means that any user with the ability to run it can
get the passwds (in my case to access my MySQL server).

  This is a ``flaw'' with the way Apache works because everything Apache
executes must be +rw for the Apache user (www).  As a result any person
able to write PHP code (all of my users) can read anything that the
Apache user can, because mod_php executes as the Apache user.

  There are security features in PHP (safe_mode) but these conflict with
a large number of PHP scripts.  I'm trying to work it out this way now
but it's a lot of hassle.

  Thanks for your response,

-lewiz.

--=20
I was so much older then, I'm younger than that now.  --Bob Dylan, 1964.
------------------------------------------------------------------------
-| msn:purple@lewiz.net | jabber:lewiz@jabber.org | url:www.lewiz.org |-

--OgqxwSJOaUobr8KG
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (FreeBSD)

iD8DBQFAKPiNItq0KFQv7T8RAjZPAJwPVUcg9aW/nPpSH0Y/FYAcPq2o0QCgoKud
VSdSU/65+FZZxkkvzOyvQPA=
=SG7o
-----END PGP SIGNATURE-----

--OgqxwSJOaUobr8KG--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040210152813.GA40727>