password in php document

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
bullet45
Forum Newbie
Posts: 6
Joined: Tue Dec 17, 2002 9:24 pm

password in php document

Post by bullet45 »

I'm a new user of php and mysql, and
have a question that concerns me about security. When writing the php document to
connect to mysql, the password is written in the document itself. This is not a problem for outside sites since the php engine processes the documents. But how do I protect the password from internal users? Since it's served out by the server, it has the word read permission so users on the system could determine where it was located and read the file. Is there a way to keep from placing the password in the document?
oldtimer
Forum Contributor
Posts: 204
Joined: Sun Nov 03, 2002 8:21 pm
Location: Washington State

Post by oldtimer »

I myself make a configureation file. sometimes config.php. I then place it outside my www root and then include it. Now this does not help if people have access to root and can get to it.

Is this a linux or a windows server?
User avatar
Takuma
Forum Regular
Posts: 931
Joined: Sun Aug 04, 2002 10:24 am
Location: UK
Contact:

Post by Takuma »

You might be able to use PGP but I'm not sure how to implement it on PHP... I think you need to encrypt the password and the decrypt it. But normal function is easy to crack as one can see which function is used.
bullet45
Forum Newbie
Posts: 6
Joined: Tue Dec 17, 2002 9:24 pm

server

Post by bullet45 »

The server is on a Solaris box running
Apache.
User avatar
Takuma
Forum Regular
Posts: 931
Joined: Sun Aug 04, 2002 10:24 am
Location: UK
Contact:

Post by Takuma »

Will you be able to set a password to view the folder or set a permission level? I'm not really use to Solaris.
User avatar
Johnm
Forum Contributor
Posts: 344
Joined: Mon May 13, 2002 12:05 pm
Location: Michigan, USA
Contact:

Post by Johnm »

First, storing it outside the web tree is a good idea but chmod 711 file.php will allow it to be executed by anyone but only read by the owner and root. Make the owner root and things are pretty locked down.
make it a dot file ex:( mv file.php .file.php) and it makes the file a little more discrete.



John M
bullet45
Forum Newbie
Posts: 6
Joined: Tue Dec 17, 2002 9:24 pm

permissions on php files

Post by bullet45 »

I've tried only having execute access on
the php file, however the server won't pick up the file and execute it without the world read permission. Moving it out of the www tree is an idea that I can try, but the problem is that I would still have to give permission for the web server user to access the file, and users on the system would be able to read the file and determine where I hid the portion with the password.
Rincewind
Forum Commoner
Posts: 27
Joined: Thu Nov 21, 2002 11:15 am
Location: Norway

Post by Rincewind »

Just off the top of my head, and I'm not really familiar with this stuff so if I'm beeing stupid tell me :)
If the user running the web-server is the only user having read-access to the file how would someone go about reading it directly from the file-system and not through apache?
If read through apache it won't show the code anyhow (as long as the file is named .php that is)
Am I way off here, and if so, why?
I would like an answer to this as well :)
bullet45
Forum Newbie
Posts: 6
Joined: Tue Dec 17, 2002 9:24 pm

permissions

Post by bullet45 »

The reason for the world read permission
is that the apache server is running as
user nobody, the least privileged user on
the system. In order for a file to be served
out by the server, it must have permissions
that allow nobody to read it. One partial fix would be to make nobody the ower of the
php file, but this will not work as a full solution because I (as sysadmin) can change the owner of the file to nobody, but
other users can't. I really like the way php and mysql work, but there is sensitive data
stored in the databases I will be using so I want to make sure that I am the only one that can access the database.
Rincewind
Forum Commoner
Posts: 27
Joined: Thu Nov 21, 2002 11:15 am
Location: Norway

Post by Rincewind »

Hmmm...
But how can a users access the web-tree on the server without going through apache?
I guess the web-tree isn't NFS-shared and the users usually don't have physical access to the server.
Of course, if the users have access to a shell on the server....do they?
Would then a dedicated web-server with no shell-access be a sollution?
What about serving those particular files from a dedicated, yet outdated, machine with read-access only to the web-server? Or from a NFS-share readable only from the IP of the web-server?
I'm reaching, I know, but I see the problem and that I may be faced with it, so I try to understand, ok?

Rincewind
bullet45
Forum Newbie
Posts: 6
Joined: Tue Dec 17, 2002 9:24 pm

web tree

Post by bullet45 »

The problem with isolating the files is that the users on the system are allowed to have their own web space, and they would be presented with the same problem since there has to be access for the webuser to read the php file.
User avatar
Johnm
Forum Contributor
Posts: 344
Joined: Mon May 13, 2002 12:05 pm
Location: Michigan, USA
Contact:

Post by Johnm »

Rename your server to something like webserver or webuser, create an account for the webserver allowing it the permissions and file ownership that it needs. You, as the admin can su to root or the webserver to make any needed changes yet the file remains secure.

John M
bullet45
Forum Newbie
Posts: 6
Joined: Tue Dec 17, 2002 9:24 pm

server

Post by bullet45 »

The problem with that is it won't work for
other users on the system. The only
solution I can come up with is to write a
setuid program that users on the system
can filter their files through that will set the
user to the webuser.
User avatar
Johnm
Forum Contributor
Posts: 344
Joined: Mon May 13, 2002 12:05 pm
Location: Michigan, USA
Contact:

Post by Johnm »

Multiple files with a script to ensure that they are updated properly?
Just a thought. You can define access to each users web space directory specifically.

I guess that I am not sure that I understand the problem as we have multiple websites for our business with specific permissions even down to the user level to control who sees what and when.

John M
evilcoder
Forum Contributor
Posts: 345
Joined: Tue Dec 17, 2002 5:37 am
Location: Sydney, Australia

Post by evilcoder »

The fact is, millions of sites contain files which have passwords and usernames in them, luckily the vast majority of people don't know how to crack these. You going to need one file to connect to a database, but to secure database information you can insert it with MD5. That works fairly well.
Post Reply