On Fri, November 4, 2005 5:44 pm, Pablo Gosse wrote: > By setting the file readable only by root this problem is completely > eliminated. Unless a hacker has the root password, they will not be > able to compromise the information in this file. > > This is how I understand it, at least. If Chris reads this perhaps he > can confirm this for me? If only 'root' can read the file, and PHP can read the file (IE, your script still works) then you have HUGE problems, because your PHP script, and all of Apache, is running as 'root'... That's *WAY* too much power to be put into your hands, much less your potentially malicious co-hosted users. It's *possible* your host has set you up with a chroot-ed environment, in which you are 'root' for some sort of virtual machine... Even then, I don't think they'd make all the PHP files root readable only... It's more likely that the permissions on the file make it possible for the PHP user to read them, but not you to read them in the shell. You could probably write a PHP script to read all the other files and their passwords, even though you can't read them when you are logged in as "pablo" or whatever. If not, then maybe they HAVE set you up with a fully chroot-ed environment -- which I've never seen, as far as I know, so I can't be sure what it looks like, though I can imagine. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
