Is it secure to keep php scripts like that?

The 2.0.x discussion forum has been locked; this will remain read-only. The 3.0.x discussion forum has been renamed phpBB Discussion.
Locked
Doomster
Registered User
Posts: 5
Joined: Thu Apr 11, 2002 3:11 am
Location: Kiev, Ukraine
Contact:

Is it secure to keep php scripts like that?

Post by Doomster »

I mean that all scripts are in unprotected directories, for example config.php with database password... When I write something on PHP I always put include parts to some dir with restricted access by .htaccess
So, is it secure with phpbb?
User avatar
Fireman-x
Registered User
Posts: 71
Joined: Fri Nov 02, 2001 3:19 am

Post by Fireman-x »

Of course. First of all, you should have reduced permissions on your files anyway (so people can't write to them on a shared host), second of all, anyting with a .php extension is going to be parsed, so nobody will ever see the source.
hsim
Registered User
Posts: 1554
Joined: Tue Oct 23, 2001 9:39 pm
Contact:

Post by hsim »

except with other php scripts on the same server ... but you can't do anything about this with .htaccess either
email me: hsim at gmx.li
User avatar
Fireman-x
Registered User
Posts: 71
Joined: Fri Nov 02, 2001 3:19 am

Post by Fireman-x »

I'd hope that if you are running in a shared hosting environment, you would be running in safe mode, which would prevent this.
hsim
Registered User
Posts: 1554
Joined: Tue Oct 23, 2001 9:39 pm
Contact:

Post by hsim »

I'm glad that I'm not on a host running php in safe mode :P too much restricted for me.
email me: hsim at gmx.li
hackie
Registered User
Posts: 18
Joined: Fri Aug 17, 2001 6:54 pm
Contact:

Post by hackie »

Technically, no, it's not safe, moreover, anyone else on the server can read your files/passwords and so on if they're not properly chmoded, if you do not have shell access to your host, then your host is lame.

PHP's safe mode is a terrible hack that can't really get around this problem, unless you really cripple your php and destory what makes unix so powerful. (for example, safemode alone means crap, if popen is enabled.. or any of the exec/system calls......). PHP's mode is a hack for a problem PHP developers shouldn't have even tried to solve.

This problem will be TRULLY soved by apache 2.0 and it's perchild mpm, as that will finally allow apache to make file system requests with a proper uid/gid of the virtual host owner.

There is really no easy solution with apache 1.3+PHP to this problem. All of the attempted ones are terrible crippling hacks. Apache 2 is the answer.
Developer of FUDforum
http://fud.prohost.org
Doomster
Registered User
Posts: 5
Joined: Thu Apr 11, 2002 3:11 am
Location: Kiev, Ukraine
Contact:

Post by Doomster »

Hm, how should I chmod php scripts? I mean 755 etc...
Kylecool
Registered User
Posts: 674
Joined: Sat Feb 02, 2002 3:51 am
Location: Southern California, U.S.A! GO USA!
Contact:

Post by Kylecool »

Yes, with some permissions, people with SSH can see you file, but not edit it. Other than that, it's pretty secure.

-Kyle
VACATION UNTIL june 29TH or 30th. :)
FunkyDuck
Registered User
Posts: 260
Joined: Sat Apr 20, 2002 11:24 am
Location: Netherlands
Contact:

Post by FunkyDuck »

so chmod all php to 755 ?
FunkyDuck
theFinn
Founder and ex-Contributor
Posts: 1767
Joined: Tue Jul 03, 2001 7:58 pm
Location: Edmonton, AB, Canada
Contact:

Post by theFinn »

no, 755 won't keep it safe.

The best way to keep others with access to the system from reading it (on the command line at least) is to chgrp it to the apahe group, and only give yourself and the apache group access to read the file. However, this won't stop anyone from writing a little PHP script to read the file..

as its beeen said, hopefully Apache 2 will solve this problem.
James 'theFinn' Atkinson
Founder & ex-Contributor
http://www.thefinn.net
Wert
Former Team Member
Posts: 3677
Joined: Tue Jul 03, 2001 8:33 pm
Location: Sacramento, CA
Name: Chris Aguilar

Post by Wert »

And for a common sense type of thing...

If you're on a host that has shared servers, don't ever ever ever let it be known which server you're on!

Because once you say something like "Oh, I'm on server 10", then immediately anyone else on that server could obtain your p/w."
Chris Aguilar - AKA "Wert"
FunkyDuck
Registered User
Posts: 260
Joined: Sat Apr 20, 2002 11:24 am
Location: Netherlands
Contact:

Post by FunkyDuck »

I am on a server of my ISP that hosts more websites of others. I do not think I have that apache rights etc. What can I do?

By the way, does anyone have a .htaccess file for me? (don't know how to create)
FunkyDuck
Locked

Return to “2.0.x Discussion”