RE: Deny Access To configuration file using php scripts

Use open_basedir restrictions in httpd.conf to limit their filesystem
access. Example:

<Directory /home/joeuser/www>
        php_admin_value open_basedir "/home/joeuser/www:/tmp" 
...

More information here:
http://us2.php.net/features.safe-mode

"Limit the files that can be opened by PHP to the specified directory-tree,
including the file itself. This directive is NOT affected by whether Safe
Mode is turned On or Off.

When a script tries to open a file with, for example, fopen() or gzopen(),
the location of the file is checked. When the file is outside the specified
directory-tree, PHP will refuse to open it. All symbolic links are resolved,
so it's not possible to avoid this restriction with a symlink. "


Brent Meshier
http://www.gtlogistics.com/
"Innovative Fulfillment Solutions" 

-----Original Message-----
From: raT [mailto:ratmole@gmail.com] 
Sent: Tuesday, March 01, 2005 12:54 PM
To: focus-linux@securityfocus.com
Subject: Deny Access To configuration file using php scripts

Hello i have a web server and i have a major problem

some of my users are trying to find my pass for my mysql database.

the first thing they do is a
system ('cat /var/www/path to config file'); inside a php script

my problem is to deny this file from being read throu the script since the
apache deamon runs as nobody and it has to have read permision to the
configuration file.

my users have shell acount and can create files in the public_html folder.
any help?
snif!

thanks in advance.
--
---

-=|  PrivaCy Is A LiE  |=-