Re: Deny Access To configuration file using php scripts

One thing I do, is run my PHP scripts that have config files, outside of 
the webroot, so there is no way they can get at them.  Since the webroot 
is kind of a chroot jail for the webuser, there is no way they can get 
below the root web directory.  Do some searching on google to find out 
more specifics, but if your web root is /var/www/html, then simply put 
your critical php scripts in /var/www/secure/somewhere and then call the 
scripts from your webroot.

Many applications do this now, for this kind of security.  Take a look 
at a squirelmail RPM install, and you will see that most of the PHP 
files are actually located in /usr/lib/squirrelmail and not the web root.

Good luck!

- Bruce


raT wrote:
> Hello i have a web server and i have a major problem
>
> some of my users are trying to find my pass for my mysql database.
>
> the first thing they do is a
> system ('cat /var/www/path to config file');
> inside a php script
>
> my problem is to deny this file from being read throu the script since
> the apache deamon runs as nobody
> and it has to have read permision to the configuration file.
>
> my users have shell acount and can create files in the public_html folder.
> any help?
> snif!
>
> thanks in advance.