Making passwords in PHP libraries unreadable.
Posted: Thu Mar 25, 2004 1:53 pm
We have a large number of fairly technical users, some of which might be troublemakers.
We wish to give secure(ish) database access to PHP scripts they write.
For this reason, we have them log into the database using our own set of includable PHP libraries: all they need to do is specify what database they need to access, and the library allows or denies it on a case by case basis.
But there's a problem. They can, using their scripts, display the library files through the webpage. Which will then allow them to see all the passwords.
To work around this, we've done the following:
1) Prevented certain commands (php_info, get_included_files, get_include_path, ini_get etc) that will give information about includes.
2) Given them a chroot shell when they log in through ssh, to which the libraries, and the /etc/php.ini are invisible. The scripts will only work when run by the apache process.
3) Put the libraries in a directory within a readonly directory, like /usr/lib/readonly/php_libs, so that the directory cannot be found by any script that works by traversing the tree from the root directory, and adding that directory to the include path.
4) Giving the users a list of library names they can include, without paths.
5) Limited the directories the script can read from to the library directory, and /home, so that they can't read php.ini directly
My question is: is there a better (gentler, less nazi-admin) way to prevent users seeing the passwords in the libraries they are using?
We wish to give secure(ish) database access to PHP scripts they write.
For this reason, we have them log into the database using our own set of includable PHP libraries: all they need to do is specify what database they need to access, and the library allows or denies it on a case by case basis.
But there's a problem. They can, using their scripts, display the library files through the webpage. Which will then allow them to see all the passwords.
To work around this, we've done the following:
1) Prevented certain commands (php_info, get_included_files, get_include_path, ini_get etc) that will give information about includes.
2) Given them a chroot shell when they log in through ssh, to which the libraries, and the /etc/php.ini are invisible. The scripts will only work when run by the apache process.
3) Put the libraries in a directory within a readonly directory, like /usr/lib/readonly/php_libs, so that the directory cannot be found by any script that works by traversing the tree from the root directory, and adding that directory to the include path.
4) Giving the users a list of library names they can include, without paths.
5) Limited the directories the script can read from to the library directory, and /home, so that they can't read php.ini directly
My question is: is there a better (gentler, less nazi-admin) way to prevent users seeing the passwords in the libraries they are using?