Re: secret data for php pages
On Wed, 7 Jun 2000 cfm@maine.com wrote:
> On Wed, Jun 07, 2000 at 08:23:18PM +0200, Robert Varga wrote:
>
> > > Store the mysql connection information in a PHP file in the webspace. I
> > > often create a file db_config.php3 and it looks like this:
> > >
> > > <?
> > > $dbhost = "localhost";
> > > $dbuser = "someuser";
> > > $dbpasswd = "somepassword";
> > > mysql_connect ($dbhost, $dbuser, $dbpasswd) or
> > > die("Unable to connect to mysql server ($dbhost) ...");
> > > ?>
> > >
> >
> >
> > The problem is that anyone who can put up a php page can download every
> > php page _source_ there is on the webserver (see my initial post).
> > Therefore the password is retrievable this way.
>
>
> Nor would the above script be persistent no? I don't do any PHP.
It would be persistent if invoked from the mod_php3 and not from php3 cgi.
>
> What we do is generate an initial connection to db when server starts
> up as root. The server then changes uid/gid to nobody:nogroup. Now
> that is with WN. Hardly stock debian setup. ;^) Nor do we let users
> onto the machines with that setup; it's staff only. Period.
>
How can this be carried out and what is WN? :)
> As an alternative, you might be able to set server id read only depending
> on how much updating and run the updates suid, etc....
>
I don't understand this part, but reads are also dangerous, think on
retrieving other user's sensitive data :)
Regards,
Robert Varga
Reply to: