--- Pablo Gosse <[EMAIL PROTECTED]> wrote: > I've got a question about a section of Chris's article on PHP > security from his OSCON 2004 talk. > > When talking about protecting database credentials, Chris > mentions creating a file (readable only by root) with the > following: > > SetEnv DB_USER "myuser" > SetEnv DB_PASS "mypass" > > and then using this: > > Include "/path/to/secret-stuff" > > in the httpd.conf file such that they show up in your $_SERVER > array.
The credit for this approach belongs to David Sklar and Adam Trachtenberg, not me. I just happen to think it's a good approach. :-) I know you weren't explicitly giving me credit, but I wanted to make sure. > I assume that the include directive would be declared inside > the section of the httpd.conf file which defines everything for > my site? Yes, and I think this is a point that I left out. I probably thought it was obvious, but many people have emailed me about this. If the Apache Include directive given is not within your VirtualHost block or otherwise restricted to one user, then every user on the server can access that data. So, you want to make sure this directive only applies to you. > I'm also going to be asking them to set another environment > variable, INC_PATH, and then I'll use this to reference the > files which I'm including from outside my webroot, such that > even if someone reads the files within my webroot, they won't > see either the db username or password, nor will they see the > path from which I am including sensitive files. > > Thoughts? This is obscurity, which can be somewhat helpful, but don't rely on this for any sort of protection. While it's true that someone can't easily determine where you have your modules stored, this discovery isn't challenging enough to be considered a safeguard. I think it's best to keep anything that you consider sensitive in the database (this is for shared hosts only, mind you), and use the technique described above to protect your database access credentials. Hope that helps. Chris ===== Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly HTTP Developer's Handbook - Sams Coming December 2004 http://httphandbook.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
