[prog] php, cgi-scripts, passwords and more

Thu Sep 11 17:15:29 EST 2003

On Thursday 11 September 2003 14.02, Allie Micka wrote:
> Until then, we have safe_mode.
> safe_mode is a setting in php that, among other things, limits
> include(), require(), fopen(), etc. to files owned by the same user as
> the calling script.  So a file owned by you can open another file owned
> by you, but it can't open, say, /etc/passwd because it is owned by
> root.  Similarly, files owned by user badguy can't access your files
> because they're owned by different users.
>
> The other setting your host should have used is open_basedir, which
> limits the directories your php scripts can open files in.  In most
> cases this should be set to your virtualhost directory and possibly a
> library directory.  So badguy's site is set with an open_basedir of
> /www/badguy.com , so he can't get at your files stored outside of his
> basedir in /www/yoursite.com
>
> You can check up on these ini settings with phpinfo() or ini_get()

I checked these settings and none of them are set. Too bad.

> If all the above is set up properly, a) php protects your code from
> other scripts, b) filesystem ownership/suExec restrictions protect
> access through other means.  This leaves world-readability.  Make sure
> that the files are owned by the correct group (so the webserver can
> access them) and mode 640 .  You can read/edit them, the webserver can
> read them to serve them up, and other users on the system can't do
> anything.  It is also good to know whether the group is specific to the
> web process or if it is a more general group, that may have other users.

Things are a bit different on my webhost. My homedirectory on the host is 
owned by me and belongs to the group "users". The permissions set are: 
drwx-----x
So the webserver doesn't access the file through the group permissions, but 
through the other-permissions. As I understand it that means that atleast the 
other users on the webhost (all of them belong to only the group "users") 
can't access my files if they're logged in on the webhost. Even if I have a 
file in my home directory that is world readable another user logged in can't 
read it, right?

So I guess that means that the thing I have to worry about is badguy somehow 
getting to my password file through apache? But doesn't he have to know the 
filename for that? 

> but you can
> add the following to your top-level .htaccess file:
>
> <Files ~ "\.inc$">
>      Order deny,allow
>      Deny from all
> </Files>
>

Good advice. Thanks!

> The other to make include files inaccessible is to store them in a
> directory with an .htaccess file reading "Deny From All" .  None of the
> files in that directory will be served by apache but your scripts can
> still access them.

This too. Thanks.

You've given me lots to think about. Thanks.

/tiera