You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Steve <st...@iprimus.com.au> on 2002/11/22 02:49:16 UTC

[users@httpd] Security Issue

Hi.

I have a file in /home/web/master/config.php which contains my hardcoded
mysql password.
The permissions on it are

-rw-r--r-- user group

I need the Others permisson as read so the apache webserver can read the
config.php when i include it..
BUT
All the other users on the system will be able to read the file because its
readable by all..
Is there a way to stop this, so users cant read other users files..

I know u can use suEXEC to secure a little bit, but is there anyway other
then using suEXEC?

like locking them in there homedir or something?

Thanks
/Steve


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Security Issue

Posted by Zac Stevens <zt...@cryptocracy.com>.

On Fri, Nov 22, 2002 at 12:49:16PM +1100, Steve wrote:
> I need the Others permisson as read so the apache webserver can read the
> config.php when i include it..
> BUT
> All the other users on the system will be able to read the file because its
> readable by all..

Yes, that's a logical consequence of allowing all users access to the file.

> Is there a way to stop this, so users cant read other users files..

You could remove the 'other' perms and put the apache user into the group
that the file is in.  That won't help much, however, because unless you're
using suexec the file will still be accessible to anyone using cgi/ssi/php
on your websites.

> I know u can use suEXEC to secure a little bit, but is there anyway other
> then using suEXEC?

Nope.  suexec is what you're looking for.

HTH,


Zac

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Security Issue

Posted by Justin Williams <ju...@naturalwebs.com>.

I'm sure it is possible, though I don't know how (anybody wanna field this 
part?) to limit the users to access ONLY their own directories.  No access to 
the parent directories.
Your web files are all in /www and /web/something, right?  So, put the 
config.php in the /home directory.  This will prevent others from seeing the 
file from the web (since they won't know it is there, unless they can see the 
PHP accessing the config file.  If they are seeing the PHP, directly, you 
have other problems...  ;-)

On Thursday 21 November 2002 09:51 pm, Steve wrote:
> But i have many users on my webserver..
>
> So my web root is /home/www
>
> my users are in /home/www/users/(user)
>
> and my main files are in /home/web/master and /home/web/services
>
> So any user could still get the files off another user..
>
> If u get what i mean..
>
> Wouldent people also be able to use SSI or CGI to get the files also so its
> not complety a php issue?
>
> /Steve
>
> ----- Original Message -----
> From: "Justin Williams" <ju...@naturalwebs.com>
> To: <us...@httpd.apache.org>
> Sent: Friday, November 22, 2002 1:47 PM
> Subject: Re: [users@httpd] Security Issue
>
> > This is more a PHP question, but, because PHP can think outside the
> > Apache box, you are not limited to the web directory.  Put the config.php
> > in the parent directory of the www (or http, or whatever your website's
> > root directory is).  This way, nobody can get to it from the web.  ;-) 
> > Or it
>
> at
>
> > least becomes very difficult...
> >
> > On Thursday 21 November 2002 08:49 pm, Steve wrote:
> > > Hi.
> > >
> > > I have a file in /home/web/master/config.php which contains my
> > > hardcoded mysql password.
> > > The permissions on it are
> > >
> > > -rw-r--r-- user group
> > >
> > > I need the Others permisson as read so the apache webserver can read
> > > the config.php when i include it..
> > > BUT
> > > All the other users on the system will be able to read the file because
>
> its
>
> > > readable by all..
> > > Is there a way to stop this, so users cant read other users files..
> > >
> > > I know u can use suEXEC to secure a little bit, but is there anyway
>
> other
>
> > > then using suEXEC?
> > >
> > > like locking them in there homedir or something?
> > >
> > > Thanks
> > > /Steve
> > >
> > >
> > > ---------------------------------------------------------------------
> > > The official User-To-User support forum of the Apache HTTP Server
>
> Project.
>
> > > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > >    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> > > For additional commands, e-mail: users-help@httpd.apache.org
> >
> > ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache HTTP Server
> > Project. See <URL:http://httpd.apache.org/userslist.html> for more info.
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> >    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Security Issue

Posted by Steve <st...@iprimus.com.au>.

But i have many users on my webserver..

So my web root is /home/www

my users are in /home/www/users/(user)

and my main files are in /home/web/master and /home/web/services

So any user could still get the files off another user..

If u get what i mean..

Wouldent people also be able to use SSI or CGI to get the files also so its
not complety a php issue?

/Steve

----- Original Message -----
From: "Justin Williams" <ju...@naturalwebs.com>
To: <us...@httpd.apache.org>
Sent: Friday, November 22, 2002 1:47 PM
Subject: Re: [users@httpd] Security Issue


> This is more a PHP question, but, because PHP can think outside the Apache
> box, you are not limited to the web directory.  Put the config.php in the
> parent directory of the www (or http, or whatever your website's root
> directory is).  This way, nobody can get to it from the web.  ;-)  Or it
at
> least becomes very difficult...
>
> On Thursday 21 November 2002 08:49 pm, Steve wrote:
> > Hi.
> >
> > I have a file in /home/web/master/config.php which contains my hardcoded
> > mysql password.
> > The permissions on it are
> >
> > -rw-r--r-- user group
> >
> > I need the Others permisson as read so the apache webserver can read the
> > config.php when i include it..
> > BUT
> > All the other users on the system will be able to read the file because
its
> > readable by all..
> > Is there a way to stop this, so users cant read other users files..
> >
> > I know u can use suEXEC to secure a little bit, but is there anyway
other
> > then using suEXEC?
> >
> > like locking them in there homedir or something?
> >
> > Thanks
> > /Steve
> >
> >
> > ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache HTTP Server
Project.
> > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> >    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Security Issue

Posted by Justin Williams <ju...@naturalwebs.com>.

This is more a PHP question, but, because PHP can think outside the Apache 
box, you are not limited to the web directory.  Put the config.php in the 
parent directory of the www (or http, or whatever your website's root 
directory is).  This way, nobody can get to it from the web.  ;-)  Or it at 
least becomes very difficult...

On Thursday 21 November 2002 08:49 pm, Steve wrote:
> Hi.
>
> I have a file in /home/web/master/config.php which contains my hardcoded
> mysql password.
> The permissions on it are
>
> -rw-r--r-- user group
>
> I need the Others permisson as read so the apache webserver can read the
> config.php when i include it..
> BUT
> All the other users on the system will be able to read the file because its
> readable by all..
> Is there a way to stop this, so users cant read other users files..
>
> I know u can use suEXEC to secure a little bit, but is there anyway other
> then using suEXEC?
>
> like locking them in there homedir or something?
>
> Thanks
> /Steve
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org