httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Justin Williams <jus...@naturalwebs.com>
Subject Re: [users@httpd] Security Issue
Date Fri, 22 Nov 2002 03:08:10 GMT
I'm sure it is possible, though I don't know how (anybody wanna field this 
part?) to limit the users to access ONLY their own directories.  No access to 
the parent directories.
Your web files are all in /www and /web/something, right?  So, put the 
config.php in the /home directory.  This will prevent others from seeing the 
file from the web (since they won't know it is there, unless they can see the 
PHP accessing the config file.  If they are seeing the PHP, directly, you 
have other problems...  ;-)

On Thursday 21 November 2002 09:51 pm, Steve wrote:
> But i have many users on my webserver..
>
> So my web root is /home/www
>
> my users are in /home/www/users/(user)
>
> and my main files are in /home/web/master and /home/web/services
>
> So any user could still get the files off another user..
>
> If u get what i mean..
>
> Wouldent people also be able to use SSI or CGI to get the files also so its
> not complety a php issue?
>
> /Steve
>
> ----- Original Message -----
> From: "Justin Williams" <justin@naturalwebs.com>
> To: <users@httpd.apache.org>
> Sent: Friday, November 22, 2002 1:47 PM
> Subject: Re: [users@httpd] Security Issue
>
> > This is more a PHP question, but, because PHP can think outside the
> > Apache box, you are not limited to the web directory.  Put the config.php
> > in the parent directory of the www (or http, or whatever your website's
> > root directory is).  This way, nobody can get to it from the web.  ;-) 
> > Or it
>
> at
>
> > least becomes very difficult...
> >
> > On Thursday 21 November 2002 08:49 pm, Steve wrote:
> > > Hi.
> > >
> > > I have a file in /home/web/master/config.php which contains my
> > > hardcoded mysql password.
> > > The permissions on it are
> > >
> > > -rw-r--r-- user group
> > >
> > > I need the Others permisson as read so the apache webserver can read
> > > the config.php when i include it..
> > > BUT
> > > All the other users on the system will be able to read the file because
>
> its
>
> > > readable by all..
> > > Is there a way to stop this, so users cant read other users files..
> > >
> > > I know u can use suEXEC to secure a little bit, but is there anyway
>
> other
>
> > > then using suEXEC?
> > >
> > > like locking them in there homedir or something?
> > >
> > > Thanks
> > > /Steve
> > >
> > >
> > > ---------------------------------------------------------------------
> > > The official User-To-User support forum of the Apache HTTP Server
>
> Project.
>
> > > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > >    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> > > For additional commands, e-mail: users-help@httpd.apache.org
> >
> > ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache HTTP Server
> > Project. See <URL:http://httpd.apache.org/userslist.html> for more info.
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> >    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message