I'm late joining this thread, so I apologize if someone has already
suggested this, but try putting this in the VirtualHost configuration
file:
SetEnv DB_USER "myuser"
SetEnv DB_PASS "mypass"
Now you can use $_SERVER['DB_USER'] and $_SERVER['DB_PASS'] in
your code. This way the values are available to your virtual host only,
and presumably your httpd.conf file in only readable by root.
CSH
-----Original Message-----
From: Suramya Tomar [mailto:security@suramya.com]
Sent: Wednesday, 2 March 2005 9:59 AM
To: raT
Cc: focus-linux@securityfocus.com
Subject: Re: Deny Access To configuration file using php scripts
Hi,
Hello i have a web server and i have a major problem
some of my users are trying to find my pass for my mysql database.
My first suggestion would be to warn these users that this is not
allowed and ban them from the system if they persist.
the first thing they do is a
system ('cat /var/www/path to config file');
inside a php script
There are a couple of things you can try, First you can use apache
directives to deny access to the file. To do that add the
following text
to the httpd.conf file:
<Files ~ "\.inc$">
Order allow, deny
Deny from all
</Files>
While that may stop the web-server from server the files up, it would
not stop a php script from accessing the files.
I'm not sure that this can easily be solved. If the file needs to be
readable by apache, then it can also be read by any other process
running as the same user as apache, which would be every php script.
If you are using virtual hosts, then you may be able to solve the
problem using apaches per-user virtual-host configuration. This allows
scripts to run as someone other than 'nobody' (or whoever apache is
running as).
This would prevent all files with the .inc extension from
being viewed
via the web.
The second thing I would suggest is to disable access to the system()
They could also use functions like fopen(), require(), include(), etc to
read the files.
function unless you really really need it. You can do that in the
php.ini file by using the disable_functions directive. It
allows you to
define a comma-delimited list of functions to be disabled within PHP.
(http://www.onlamp.com/pub/a/php/2001/02/15/php_admin.html)
Hope this helps.
- Suramya
--
----------------------------------------------------------
Some days you're the dog; some days you're the hydrant.
----------------------------------------------------------
Name : Suramya Tomar
Homepage URL: http://www.suramya.com
-------------------------------------------------
************************************************************
Disclaimer:
Any errors in spelling, tact, or fact are transmission errors.
************************************************************
