On Sat, September 30, 2006 9:33 am, Nick Wilson wrote: > Tha'ts exactly what i think it's doing. The -i specifies an identity > file according to the man page for scp so i would have hoped that > would > take care of it (as i cant work out how to generate an identity for > the > apache user itself) but i guess it is doing exactly as you say.. So you made *YOUR* identity file available to the Apache user?... Think this through... Are you on a shared server? If yes, anybody who can write a PHP script can masquerede as "you" and do whatever "you" can do with that "identity" -- So if you've got the private_key of that identity anywhere *other* than at user@xxxxxxxxxx, that's probably a Bad Idea. Even on a dedicated server, you want to make sure that this particular identity file is used ONLY for Apache to do this transfer, and nothing else -- You really want to document this heavily everywhere, so nobody comes along afterwards and uses that private key for something important, not realizing that you've essentially compromised it for Apache (i.e., anybody who manages to get a file onto that server) I'm not saying what you've done is Bad. I'm saying it's really easy for you to have done it Badly without realizing it, and we can't tell from what you've posted and the consequences are serious, so we're possibly gonna tell you "too much" that you already know... :-) -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some starving artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
