From owner-freebsd-questions@FreeBSD.ORG Tue Feb 10 09:05:17 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1C2E116A4CE for ; Tue, 10 Feb 2004 09:05:17 -0800 (PST) Received: from mail.radicalv.com (secure.radicalv.com [216.118.91.10]) by mx1.FreeBSD.org (Postfix) with SMTP id B7FDB43D7C for ; Tue, 10 Feb 2004 09:05:16 -0800 (PST) (envelope-from ecrist@adtechintegrated.com) Received: (qmail 46527 invoked from network); 10 Feb 2004 17:05:05 -0000 Received: from unknown (HELO localhost.invalid) (66.188.176.110) by mail.radicalv.com with SMTP; 10 Feb 2004 17:05:05 -0000 From: Eric F Crist Organization: AdTech Integrated Systems, Inc To: freebsd-questions@freebsd.org Date: Tue, 10 Feb 2004 09:41:22 -0600 User-Agent: KMail/1.6 References: <20040209233743.GA58010@lewiz.org> <44isifarzq.fsf@be-well.ilk.org> <20040210152813.GA40727@lewiz.org> In-Reply-To: <20040210152813.GA40727@lewiz.org> MIME-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg=pgp-sha1; boundary="Boundary-02=_puPKAcHhfPlLtRu"; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Message-Id: <200402100941.29717.ecrist@adtechintegrated.com> cc: Lewis Thompson cc: Lowell Gilbert Subject: Re: Shell script containing passwords. X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: ecrist@adtechintegrated.com List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Feb 2004 17:05:17 -0000 --Boundary-02=_puPKAcHhfPlLtRu Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Tuesday 10 February 2004 09:28 am, Lewis Thompson wrote: > On Tue, Feb 10, 2004 at 10:12:09AM -0500, Lowell Gilbert wrote: > > Lewis Thompson writes: > > > I am worried that because the script must be read/writeable by the > > > Apache user (www) that anybody that can write a PHP script on my > > > machine can read the auth script and read the passwords that would be > > > contained within -- those to my MySQL server. > > > > Why would the script be readable or writeable by any user? > > It only needs to be executable, right? > > Well, since it's an interpreted script (it's some standalone PHP) in > order to execute it, the user must be able to read it. Since the script > holds passwds that means that any user with the ability to run it can > get the passwds (in my case to access my MySQL server). > > This is a ``flaw'' with the way Apache works because everything Apache > executes must be +rw for the Apache user (www). As a result any person > able to write PHP code (all of my users) can read anything that the > Apache user can, because mod_php executes as the Apache user. > > There are security features in PHP (safe_mode) but these conflict with > a large number of PHP scripts. I'm trying to work it out this way now > but it's a lot of hassle. > > Thanks for your response, > > -lewiz. Check the syntax for the .htaccess files in the httpd.conf file. This is a= =20 file that must be non-readable by regular users via php, but apache has a=20 filter written within the httpd.conf file to disallow access. I know it's= =20 about 3/4 of the way down the page. HTH =2D-=20 Eric F Crist AdTech Integrated Systems, Inc (612) 998-3588 --Boundary-02=_puPKAcHhfPlLtRu Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQBAKPupzdyDbTMRQIYRAjlPAJ4/IwQjJw4IvGd/FVOdB6131W2nDQCePPG2 G/51AhgxACpAu2l1WmyStAo= =xFo3 -----END PGP SIGNATURE----- --Boundary-02=_puPKAcHhfPlLtRu--