php/mysql security question (was Re: [ale] [OT] web hosting (php/mysql/apache) suggestions?)

J.M. Taylor jtaylor at onlinea.com
Wed Jun 4 12:36:36 EDT 2003 

Ah, sorry for the long post then.

If you're in a truly shared environment, ie, no virtual machine, and the
only thing preventing you from waltzing into another user's directory is
ownership of that directory, then there's not a thing you can do to
protect your passwords.

Well, there's something involving two-way encryption and a named pipe
listening for requests and other stuff that I could devise if I really
wanted to go round my elbow, but you're still not REALLY buying any
security there because there are a dozen ways I can think of to get around
it. :(

Using PHP, your server's administrator can set open_base_dir to lock a php
script into its directory.  This is what I do on my shared hosts and I
have some details at http://galinux.com/howtos/apacheconfig.html#php.

Open_base_dir is the only thing that I know of that's going to stop
scripts in different directories wandering around the machine, and of
course that only limits PHP.  If you can do server-side includes or
anything like that, it won't do you a bit of good.

There are plenty of less than $10/mo hosts that do actual virtual machine
hosting. If you're concernd about security, this doesn't sound like the
place for you. :(

jenn

Robert Coggins said:
> Jenn,
>
> Here is my question.  How can you set the permissions so only me and
> apache can read the file with the pw.  Because it seems other people on
> the server can see it also.  The problem with me is that I am on a
> hosting service and cannot stop others from reading that file without
> keeping apache from reading it...
>
> Thanks,
> Rob
>
> ----- Original Message -----
> From: "J.M. Taylor" <jtaylor at onlinea.com>
> To: <ale at ale.org>
> Sent: Wednesday, June 04, 2003 10:12 AM
> Subject: Re: php/mysql security question (was Re: [ale] [OT] web hosting
> (php/mysql/apache) suggestions?)
>
>
>> Dylan,
>>
>> This is an interesting issue.
>>
>> The first thing is that I always put my password file outside the
>> web-accessible directory, and include it NOT as a variable.  IE, my
>> include statement is include_once('/path/outside/web/config.php').  If
>> you use a variable for that path, make 100% sure that you initalize it
>> somewhere, that globals are not on, and that you know deep in your
>> heart that nobody can pass you a GET, POST, or COOKIE var that will
>> overwrite that variable name. Includes can be dangerous creatures.
>>
>> The second thing is that even tho it's outside the web directory, I
>> make it a PHP script.  IE, username, host, password, and database name
>> are all variables wrapped in the php open/close tags.  That way if
>> someone *does* manage to display it to their browser, they get a blank
>> screen and all that happens is your variables get initialized.
>>
>> That's as safe as you can be and stay sane.  There are other, overkill
>> sort of things you can do here, most of which I've tried.  They all
>> have their problems and don't increase the security enough to justify
>> the headache...in fact most other things just give you a false sense
>> of security.  Please if someone on the list has things they've tried
>> that don't fall into that category, let me know!! :)
>>
>> There's no substitue for limiting permissions in your database.  One
>> user per application, one config file per application. Use good
>> passwords but not  passwords or usernames that have any connection to
>> users on your system or even users in your application if they're
>> logging in via the web (ie, don't let a web user or, god forbid, a
>> shell user named 'joe' with a password of '1n5ekur3' also be a
>> database user with the same username and password).  NEVER use your
>> mysql root password in ANY web config thing EVER for ANY REASON no
>> matter what worthless crap like phpMyAdmin tells you.
>>
>> I've done this a lot, and I still look for ways to make the setup more
>> secure. I'd be interested to see what others do along these lines,
>> this is just my best practices from a few years in the field.
>>
>> HTH
>> jenn
>>
>>
>>
>> Dylan Northrup said:
>> > Here's the situation as I see it:
>> > - .php files need to be 644 in order for Apache to be able to read
>> them - I can't make them 640 and chgrp them to the apache group
>> since I'm not
>> >   a part of the apache group (and even if I did, other folks in
>> group
>> > apache could read my files as well)
>> > - The reading of the .php files is important because I have to put
>> my mysql
>> >   password in the mysql_connect statement and if someone has my
>> mysql
>> > password, they have access to my data.
>> >
>> > Now, I don't have anything important in there right now, so it's not
>> a big deal, but I'd prefer other people not being able to muck with
>> my data. Anyone else run into this issue?  If so, how did you deal
>> with it?
>>
>>
>>
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://www.ale.org/mailman/listinfo/ale
>>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale



_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale

More information about the Ale mailing list