RE: protect password?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

here again....

the solution could be managed by the host/sys admin setting the appropriate
privs for the files. in either case the sys admin should be protecting your
files from view by other users!!!

although i can see why one would go with the route where you deal with the
env vars...

my priamry point was to stress the file aspect is essentially the same, all
things being equal.


-----Original Message-----
From: Pablo Gosse [mailto:gossep@xxxxxxx]
Sent: Friday, November 04, 2005 3:45 PM
To: bedouglas@xxxxxxxxxxxxx; php-general@xxxxxxxxxxxxx
Subject: RE:  protect password?


[snip]
pablo...

i fail to see how your suggestion is much more secure than placing the
user/passwd information in a file that's outside the web access space,
and then including the file.

in either case, the user wouldn't be able to read the include file. 
[/snip]

Greeting, Bruce.

On a dedicated server there wouldn't be much difference.  However if the
site in question were on a shared host (which is usually the case) there
would be a huge difference.

On shared hosts since files to be included need to be readable by the
user the server runs as their permissions must be set to:

-rw-r--r--

And since every one else who has a site on the same server must also
have files to be included set to be readable by the server user, one
could easily write a trolling script to traverse the directories of
other users on the site and grab whatever info they needed.

The shared host I use for my personal site used to have this problem
until I made them aware of it.  In less than two minutes I was able to
find several database usernames and passwords.  They've since made
changes to eliminate this problem.  All that needs to be done is secure
up the directory permissions and the problem goes away.

By setting the file readable only by root this problem is completely
eliminated.  Unless a hacker has the root password, they will not be
able to compromise the information in this file.

This is how I understand it, at least.  If Chris reads this perhaps he
can confirm this for me?

Cheers,

Pablo


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux