I have a dedicated server, on this server i have two vhosts. and i will give the access of the server to two people. In my php file there's the database password and i don't want to share that with them. So how can i protect the php file from reading? If i do a chmod 700 apache2 can not read and the page is "Forbidden". Thanks and good night
Asked
Active
Viewed 1,270 times
0
-
1What hardware and OS is your server? Could you run to 2 VM each with its own IP and apache? – ott-- Nov 01 '11 at 01:42
-
1Debian Lenny on a thinkpad T43. No, there are host on the same ip adress – Gordon Nov 01 '11 at 01:45
-
1Which user is Apache running as? Take a look at the error log when you get "403 forbidden". – quanta Nov 01 '11 at 02:57
2 Answers
0
In order to use the data, it must be readable by the webserver uid - which means that anyone whom can deploy PHP code on the server can read the files. This is true of all web programming languages.
PHP is unusual in that it does provide mechanisms for partitioning shared access on a webserver
by use of the open_basedir directive - you just need to configure different directory trees according to access - and set up seperate database accounts with the relevant credentials stored in the separate environments - and configure the security at the database tier.
Alternatively you can use suPHP to restrict access based on a virtual user - when a PHP script runs, it does so with the uid/gid of the PHP script. Again you need separate database accounts with different privileges to control data access.
symcbean
- 21,009
- 1
- 31
- 52
-
1Word of warning: `open_basedir` has historically been anything but waterproof. Functions such as Curl or IMAP functions do not necessarily obey open_basedir restrictions and will bypass them happily. It's a nice bit of security but at least in the past it was easy to get around. – Janne Pikkarainen Nov 01 '11 at 10:34
-
I thought the imap vuln only allowed file mods - not reading from files? OTOH, I thought the curl thing was fixed a long time ago - but I see there is a recent variant exploit - http://securityreason.com/achievement_securityalert/61 – symcbean Nov 01 '11 at 11:16
-
At one point it was possible to read any file accessible for the user running the PHP script with `imap_open()`, `imap_body()` and `imap_list()`. Granted, this was many years ago, but still a good warning about the weaknesses in open_basedir. Considering the vast amounts of PHP modules and functions there are, the chances are many of them are still vulnerable even though things have gotten lots better. – Janne Pikkarainen Nov 01 '11 at 11:27
0
If you've got root access, then you can setup permissions on the file so that apache (and thus php) can read it using a supplementary group; and prevent the two "users" from reading it.
Without knowing about your OS variant; something like the following process should work. Testing is of course mandatory.
# create new group
groupadd credentials
# add apache to that group (supplementary group)
usermod -G credentials -a apache
# change file ownership
chgrp credentials /etc/credentialfile.conf
chown root /etc/credentialfile.conf
chmod 640 /etc/credentialfile.conf
You will need to restart Apache to acquire the new supplementary groups.
Ben Walding
- 201
- 3
- 9