Re: exec returns no output?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sat, September 30, 2006 9:33 am, Nick Wilson wrote:
> Tha'ts exactly what i think it's doing. The -i specifies an identity
> file according to the man page for scp so i would have hoped that
> would
> take care of it (as i cant work out how to generate an identity for
> the
> apache user itself) but i guess it is doing exactly as you say..

So you made *YOUR* identity file available to the Apache user?...

Think this through...

Are you on a shared server?

If yes, anybody who can write a PHP script can masquerede as "you" and
do whatever "you" can do with that "identity" -- So if you've got the
private_key of that identity anywhere *other* than at user@xxxxxxxxxx,
that's probably a Bad Idea.

Even on a dedicated server, you want to make sure that this particular
identity file is used ONLY for Apache to do this transfer, and nothing
else -- You really want to document this heavily everywhere, so nobody
comes along afterwards and uses that private key for something
important, not realizing that you've essentially compromised it for
Apache (i.e., anybody who manages to get a file onto that server)

I'm not saying what you've done is Bad.  I'm saying it's really easy
for you to have done it Badly without realizing it, and we can't tell
from what you've posted and the consequences are serious, so we're
possibly gonna tell you "too much" that you already know... :-)

-- 
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some starving artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux