| php includes in readable directory [message #181832] |
Sun, 09 June 2013 09:39  |
John Anderson
Messages: 2
Registered: June 2013
Karma: 0
|
Junior Member |
|
|
Hello,
I've got a website where the apache directory is available to other
users with shell accounts: /var/www/html.
If I put something like 'db_login.php' in there with a MySQL password in
it, and include it from index.php, then anyone with shell access will be
able to read it.
So I move it out, but where? Is there a 'standard' place to put stuff
like this? /usr/local seems too 'root-like', and I don't really want to
put it into my $HOME, and give httpd the right to see in there.
Thanks.
|
|
|
|
| Re: php includes in readable directory [message #181833 is a reply to message #181832] |
Sun, 09 June 2013 10:59  |
J.O. Aho
Messages: 194
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 09/06/13 11:39, John Anderson wrote:
> Hello,
> I've got a website where the apache directory is available to other
> users with shell accounts: /var/www/html.
>
> If I put something like 'db_login.php' in there with a MySQL password in
> it, and include it from index.php, then anyone with shell access will be
> able to read it.
No, it depends on owner/group and other permissions
Say you have a file x.php, it's owned by the user john and belongs to
the www-data group, and it has the following permissions:
-rw-r----- 1 john www-data 0 Jun 9 12:44 x.php
Then the apache (assuming not using suExec) can read the file and john
can read and write to the file, but any one else (except root) won't be
able to read the file.
In Linux and Unix it's not a location of a file which determines if
someone can read a file, but the permissions on the file and on the
whole path to the file.
You can have a file y.php which has the following permissions:
-rw-r--r-- 1 john www-data 0 Jun 9 12:44 y.php
and the /var/www/html has the following permissions:
drwxr-x--- 1 john www-data 0 Jun 9 12:44 html
the file y.php is still only accessible for john and all members of
www-data group and root.
> So I move it out, but where? Is there a 'standard' place to put stuff
> like this? /usr/local seems too 'root-like', and I don't really want to
> put it into my $HOME, and give httpd the right to see in there.
If I would be you, I would have things setup the following way:
The DocumentRoot is /var/www/example.net/html (replace example.net with
your domain name for the site, including subdomain if a such).
Place your site in /var/www/example.net/html eg your index.php
Place all your configuration files in /var/www/example.net/ eg your
db_login.php.
Secure the /var/www/example.net by only allow you and apache to be able
to access the files in this directory. Give apache only read permission
to files/directories which it's just allowed to read or execute (keep in
mind php files do not need execution permission set for it's not
executed as it is).
This way you protect your file from everyone who don't belong to the
group which is apaches default group and those who visit the site can't
directly access the config file as it's outside the DocumentRoot.
A good thing is to not spread your file all around the server, as it
will be more difficult to maintain. Just see to secure your files with
the correct permissions and owner/group belongings.
--
//Aho
|
|
|
|
|
|
| Re: php includes in readable directory [message #181835 is a reply to message #181832] |
Sun, 09 June 2013 13:16 |
Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 6/9/2013 5:39 AM, John Anderson wrote:
> Hello,
> I've got a website where the apache directory is available to other
> users with shell accounts: /var/www/html.
>
> If I put something like 'db_login.php' in there with a MySQL password in
> it, and include it from index.php, then anyone with shell access will be
> able to read it.
>
> So I move it out, but where? Is there a 'standard' place to put stuff
> like this? /usr/local seems too 'root-like', and I don't really want to
> put it into my $HOME, and give httpd the right to see in there.
>
> Thanks.
>
Security 101L: Accounts should only have access to what they need.
Unless they are directly involved in coding the website, they should not
have access to /var/www/html.
You need to study up on Linux permissions (and perhaps get a Linux admin
to help you configure you system correctly).
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
|
| Re: php includes in readable directory [message #181836 is a reply to message #181835] |
Sun, 09 June 2013 14:27 |
John Anderson
Messages: 2
Registered: June 2013
Karma: 0
|
Junior Member |
|
|
In article <kp1uur$8nj$1(at)dont-email(dot)me>,
Jerry Stuckle <jstucklex(at)attglobal(dot)net> wrote:
> On 6/9/2013 5:39 AM, John Anderson wrote:
>> Hello,
>> I've got a website where the apache directory is available to other
>> users with shell accounts: /var/www/html.
>>
>> If I put something like 'db_login.php' in there with a MySQL password in
>> it, and include it from index.php, then anyone with shell access will be
>> able to read it.
>>
>> So I move it out, but where? Is there a 'standard' place to put stuff
>> like this? /usr/local seems too 'root-like', and I don't really want to
>> put it into my $HOME, and give httpd the right to see in there.
>>
>> Thanks.
>>
>
> Security 101L: Accounts should only have access to what they need.
> Unless they are directly involved in coding the website, they should not
> have access to /var/www/html.
>
> You need to study up on Linux permissions (and perhaps get a Linux admin
> to help you configure you system correctly).
Thanks, but I've administered Solaris for twenty years.
I've just never done any PhP until now.
|
|
|
|
|
|
| Re: php includes in readable directory [message #181838 is a reply to message #181836] |
Sun, 09 June 2013 20:09 |
Denis McMahon
Messages: 634
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On Sun, 09 Jun 2013 15:27:13 +0100, John Anderson wrote:
> Thanks, but I've administered Solaris for twenty years.
>
> I've just never done any PhP until now.
Don't put the password file anywhere under the webroot.
If you've been administering solaris for the last 20 years, then it's
reasonable to assume that you know enough about setting file and dir
permissions to place a file in your $HOME that is editable by you and
readable by www-data, without exposing the rest of your $HOME to being
readable by www-data.
--
Denis McMahon, denismfmcmahon(at)gmail(dot)com
|
|
|
|
| Re: php includes in readable directory [message #181839 is a reply to message #181836] |
Sun, 09 June 2013 20:57 |
Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 6/9/2013 10:27 AM, John Anderson wrote:
> In article <kp1uur$8nj$1(at)dont-email(dot)me>,
> Jerry Stuckle <jstucklex(at)attglobal(dot)net> wrote:
>
>> On 6/9/2013 5:39 AM, John Anderson wrote:
>>> Hello,
>>> I've got a website where the apache directory is available to other
>>> users with shell accounts: /var/www/html.
>>>
>>> If I put something like 'db_login.php' in there with a MySQL password in
>>> it, and include it from index.php, then anyone with shell access will be
>>> able to read it.
>>>
>>> So I move it out, but where? Is there a 'standard' place to put stuff
>>> like this? /usr/local seems too 'root-like', and I don't really want to
>>> put it into my $HOME, and give httpd the right to see in there.
>>>
>>> Thanks.
>>>
>>
>> Security 101L: Accounts should only have access to what they need.
>> Unless they are directly involved in coding the website, they should not
>> have access to /var/www/html.
>>
>> You need to study up on Linux permissions (and perhaps get a Linux admin
>> to help you configure you system correctly).
>
> Thanks, but I've administered Solaris for twenty years.
>
> I've just never done any PhP until now.
>
OK, so you're familiar with Linux administration. There isn't any
difference between PHP and any other language; you provide the necessary
access and only the necessary access.
Perhaps your problem is not understanding how to configure your system
for an Apache environment, where all users run under www-data.
The question remains - if you have only one website on your system, why
would you have untrusted users accessing /var/www/html? If you do have
multiple sites, why would any sites have access to other sites files?
(I keep multiple sites in their own directories, i.e.
/var/www/example/html, /var/www/invalid/html, etc.
If you're concerned about other sites files accessing your
userid/password from PHP code, perhaps you need to look into chroot-ing
Apache. If you're not familiar with chroot, it will take a little
setting up. But there are a number of good tutorials on the web.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]