Major security question:
I manage a shared Linux web server running PHP 4.2.3. Apache must have
read permissions on a php file necessary for a web application. For
example a conf.php file containing a MySQL password that is stored
outside the web directory:
-rw-r----- 1 q apache 3522 Oct 17 06:39 conf.php
Because this file is readable by apache, ANY user on the server can write
the following script:
<? print_r(file('/home/q/conf.php')); ?>
which upon execution the conf.php file will be read by apache and exposed
to the user.
Example understood?
How can a file be secured so it can still be used by apache, but
inaccessable by any other user? Is there a PHP ini configuration to force
apache to run as the user that is the owner of the php files being executed?
Gosh.
Quinn
___________________________________
strangecode :: internet consultancy
http://www.strangecode.com/
USA: +1 530 624 4410
Europe: +33 6 81 78 16 11
___________________________________
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
