Re: The right way to secure my server
On Mon, Jan 01, 2001 at 11:55:28PM -0800, Jeff Davis wrote:
> I am setting up a server on which many users will have apache
> virtualhosts (with suexec). I have PHP set up as a module (and CGI).
> However, if someone uses PHP for database connections (who doesn't) then
> they must have the login info for the DB in a file readable by the user
> apache runs as by default. This means that any user on the system could
> look at your PHP scripts and get your password and login to the DB and
> drop your tables. Am I missing something?
No, you got it. You can also include() several config Files (/etc/passwd).
> Do I have to run CGIs for any
> security at all? I know a million people use PHP as a module, and they
> don't seem to mind... could someone fill me in on the best direction I
> could be going in?
We discussed that on the german php ML a few days ago and the result
was that the only way to secure php on a shared Server is to set up
a chroot enviroment with php as cgi and suexec.
When you want to avoid that people from the outside can connect to
your DB Server run it on a secont Server with a internal IP.
Cu,
Sven
--
Sven Hoexter Earth - Germany - Leverkusen
e-mail: sven@telelev.net
One Unix to rule them all, One Resolver to find them,
One IP to bring them all and in the zone to bind them
Reply to: