Re: Deny Access To configuration file using php scripts

raT, and others:

I've had the same concern as raT (except I don't offer shells, but more 
about the site readability of the important file), though I found it 
fairly easy to solve. Basically, it is as some of the other posters are 
saying: turn on php's safe_mode.

Here's the error I get when I tried to access that file with my regular 
user while the file is owned by user nobody (uid 65534) and php 
safe_mode is on:

[client 10.0.0.66] PHP Warning:  fopen() [<a 
href='function.fopen'>function.fopen</a>]: SAFE MODE Restriction in 
effect.  The script whose uid is 318 is not allowed to access my.dat 
owned by uid 65534 in /home/jgeo/public_html/test.php on line 3

[client 10.0.0.66] PHP Warning:  fopen(my.dat) [<a 
href='function.fopen'>function.fopen</a>]: failed to open stream: 
Resource temporarily unavailable in /home/jgeo/public_html/test.php on 
line 3

As for your shell accounts, then it is the same as was said: chmod 0600 
important.file, and make sure nobody (i.e. the "unprivileged" user) owns 
that file.

Basically, only the unprivileged user's PHP scripts will be allowed to 
access that file. I hope this helps,

Other than the above, I didn't find a need to add those configuration 
options to Apache or anything, though I'm going to look more into it 
just make sure =]

--
John Georgelas
System Administrator
Solution Security, http://www.solsec.net/
jgeo@solsec.net

signature.asc
Description: OpenPGP digital signature