On Tue, November 8, 2005 10:03 pm, David Tulloh wrote: > Richard Lynch wrote: > >>On Fri, November 4, 2005 5:44 pm, Pablo Gosse wrote: >> >> >>>By setting the file readable only by root this problem is completely >>>eliminated. Unless a hacker has the root password, they will not be >>>able to compromise the information in this file. >>> >>>This is how I understand it, at least. If Chris reads this perhaps >>> he >>>can confirm this for me? >>> >>> >> >>If only 'root' can read the file, and PHP can read the file (IE, your >>script still works) then you have HUGE problems, because your PHP >>script, and all of Apache, is running as 'root'... >> >> > > I think you've missed the trick of the method. The file is included > into the Apache config, not into php. > So Apache reads the file before it lowers itself to the http user. > This > means that PHP can't read the file, but it can still get the > information > via Apache. > > Further, the file doesn't have to be readable only by root, just not > readable by the http user. > So owning the file personally and putting -rw------- permissions on it > should be sufficient, and achievable on a shared host. The OP was talking about a file "include"d into PHP... At least, I *think* he was... -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
