Return-Path: Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 19250 invoked by uid 500); 22 Nov 2002 03:00:55 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: list-post: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 19237 invoked from network); 22 Nov 2002 03:00:54 -0000 Received: from mail.pshift.com (HELO vopmail.pshift.com) (208.153.85.30) by daedalus.apache.org with SMTP; 22 Nov 2002 03:00:54 -0000 Received: from loki.asgaard.net (unverified [208.158.87.140]) by vopmail.pshift.com (Vircom SMTPRS 1.4.230) with ESMTP id for ; Thu, 21 Nov 2002 21:57:50 -0500 Content-Type: text/plain; charset="iso-8859-1" From: Justin Williams Organization: Natural Web Design To: users@httpd.apache.org Date: Thu, 21 Nov 2002 22:08:10 -0500 User-Agent: KMail/1.4.3 References: <009501c291c9$5e47e820$70bb32d2@steveuyfdnjo6s> <200211212147.12047.justin@naturalwebs.com> <013501c291d2$020d4920$70bb32d2@steveuyfdnjo6s> In-Reply-To: <013501c291d2$020d4920$70bb32d2@steveuyfdnjo6s> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-Id: <200211212208.10652.justin@naturalwebs.com> X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N Subject: Re: [users@httpd] Security Issue I'm sure it is possible, though I don't know how (anybody wanna field this part?) to limit the users to access ONLY their own directories. No access to the parent directories. Your web files are all in /www and /web/something, right? So, put the config.php in the /home directory. This will prevent others from seeing the file from the web (since they won't know it is there, unless they can see the PHP accessing the config file. If they are seeing the PHP, directly, you have other problems... ;-) On Thursday 21 November 2002 09:51 pm, Steve wrote: > But i have many users on my webserver.. > > So my web root is /home/www > > my users are in /home/www/users/(user) > > and my main files are in /home/web/master and /home/web/services > > So any user could still get the files off another user.. > > If u get what i mean.. > > Wouldent people also be able to use SSI or CGI to get the files also so its > not complety a php issue? > > /Steve > > ----- Original Message ----- > From: "Justin Williams" > To: > Sent: Friday, November 22, 2002 1:47 PM > Subject: Re: [users@httpd] Security Issue > > > This is more a PHP question, but, because PHP can think outside the > > Apache box, you are not limited to the web directory. Put the config.php > > in the parent directory of the www (or http, or whatever your website's > > root directory is). This way, nobody can get to it from the web. ;-) > > Or it > > at > > > least becomes very difficult... > > > > On Thursday 21 November 2002 08:49 pm, Steve wrote: > > > Hi. > > > > > > I have a file in /home/web/master/config.php which contains my > > > hardcoded mysql password. > > > The permissions on it are > > > > > > -rw-r--r-- user group > > > > > > I need the Others permisson as read so the apache webserver can read > > > the config.php when i include it.. > > > BUT > > > All the other users on the system will be able to read the file because > > its > > > > readable by all.. > > > Is there a way to stop this, so users cant read other users files.. > > > > > > I know u can use suEXEC to secure a little bit, but is there anyway > > other > > > > then using suEXEC? > > > > > > like locking them in there homedir or something? > > > > > > Thanks > > > /Steve > > > > > > > > > --------------------------------------------------------------------- > > > The official User-To-User support forum of the Apache HTTP Server > > Project. > > > > See for more info. > > > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org > > > " from the digest: users-digest-unsubscribe@httpd.apache.org > > > For additional commands, e-mail: users-help@httpd.apache.org > > > > --------------------------------------------------------------------- > > The official User-To-User support forum of the Apache HTTP Server > > Project. See for more info. > > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org > > " from the digest: users-digest-unsubscribe@httpd.apache.org > > For additional commands, e-mail: users-help@httpd.apache.org > > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP Server Project. > See for more info. > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org > " from the digest: users-digest-unsubscribe@httpd.apache.org > For additional commands, e-mail: users-help@httpd.apache.org --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See for more info. To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org " from the digest: users-digest-unsubscribe@httpd.apache.org For additional commands, e-mail: users-help@httpd.apache.org