| Re: php includes in readable directory [message #181839 is a reply to message #181836] |
Sun, 09 June 2013 20:57   |
Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma:
|
Senior Member |
|
|
On 6/9/2013 10:27 AM, John Anderson wrote:
> In article <kp1uur$8nj$1(at)dont-email(dot)me>,
> Jerry Stuckle <jstucklex(at)attglobal(dot)net> wrote:
>
>> On 6/9/2013 5:39 AM, John Anderson wrote:
>>> Hello,
>>> I've got a website where the apache directory is available to other
>>> users with shell accounts: /var/www/html.
>>>
>>> If I put something like 'db_login.php' in there with a MySQL password in
>>> it, and include it from index.php, then anyone with shell access will be
>>> able to read it.
>>>
>>> So I move it out, but where? Is there a 'standard' place to put stuff
>>> like this? /usr/local seems too 'root-like', and I don't really want to
>>> put it into my $HOME, and give httpd the right to see in there.
>>>
>>> Thanks.
>>>
>>
>> Security 101L: Accounts should only have access to what they need.
>> Unless they are directly involved in coding the website, they should not
>> have access to /var/www/html.
>>
>> You need to study up on Linux permissions (and perhaps get a Linux admin
>> to help you configure you system correctly).
>
> Thanks, but I've administered Solaris for twenty years.
>
> I've just never done any PhP until now.
>
OK, so you're familiar with Linux administration. There isn't any
difference between PHP and any other language; you provide the necessary
access and only the necessary access.
Perhaps your problem is not understanding how to configure your system
for an Apache environment, where all users run under www-data.
The question remains - if you have only one website on your system, why
would you have untrusted users accessing /var/www/html? If you do have
multiple sites, why would any sites have access to other sites files?
(I keep multiple sites in their own directories, i.e.
/var/www/example/html, /var/www/invalid/html, etc.
If you're concerned about other sites files accessing your
userid/password from PHP code, perhaps you need to look into chroot-ing
Apache. If you're not familiar with chroot, it will take a little
setting up. But there are a number of good tutorials on the web.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]