Richard Lynch wrote:
On Fri, November 4, 2005 5:44 pm, Pablo Gosse wrote:
By setting the file readable only by root this problem is completely
eliminated. Unless a hacker has the root password, they will not be
able to compromise the information in this file.
This is how I understand it, at least. If Chris reads this perhaps he
can confirm this for me?
If only 'root' can read the file, and PHP can read the file (IE, your
script still works) then you have HUGE problems, because your PHP
script, and all of Apache, is running as 'root'...
I think you've missed the trick of the method. The file is included
into the Apache config, not into php.
So Apache reads the file before it lowers itself to the http user. This
means that PHP can't read the file, but it can still get the information
via Apache.
Further, the file doesn't have to be readable only by root, just not
readable by the http user.
So owning the file personally and putting -rw------- permissions on it
should be sufficient, and achievable on a shared host.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
