|  | how to hide db access? | | |
| | | Fred |  |
|  Posted: Fri Aug 22, 2008 2:20 pm Post subject: how to hide db access? |  |
I have a file (access.php) with the db username and pwd, which I include in
every php file that needs db access. I'm not clear on how to set the path.
I have an account on a shared *nix server, and this code will be in a
subdomain (which is a subdirectory).
Do I go upward with "../../access.php" or do I start with "/" and figure out
where that actually is, then go downward? |
| |
| | | Jerry Stuckle | |
| | Posted: Fri Aug 22, 2008 3:54 pm Post subject: Re: how to hide db access? | |
| |  | |
Fred wrote:
| Quote: | I have a file (access.php) with the db username and pwd, which I include in
every php file that needs db access. I'm not clear on how to set the path.
I have an account on a shared *nix server, and this code will be in a
subdomain (which is a subdirectory).
Do I go upward with "../../access.php" or do I start with "/" and figure out
where that actually is, then go downward?
|
"/" would be the root directory of your server. You can use
$_SERVER['DOCUMENT_ROOT'] to get to the root directory of the web site
then add the subdirectory name (which is dependent on the subdirectory
name should you move to another site, for instance). Or you could use
relative access such as "../../access.php" (which is dependent on the
directory the including file is in).
Neither way is great, but the best you can do with your setup. Pick one
and use it consistently.
Or, use a host which doesn't require subdomains to be in subdirectories
(there's no reason why that needs to be the case) and just use
$_SERVER['DOCUMENT_ROOT'].
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
================== |
| |
| | | Michael Vilain | |
| | Posted: Fri Aug 22, 2008 8:41 pm Post subject: Re: how to hide db access? | |
| | | |
In article <g8mp0t$bcs$1@aioe.org>, Fred <Fred@notspam.not> wrote:
| Quote: | I have a file (access.php) with the db username and pwd, which I include in
every php file that needs db access. I'm not clear on how to set the path.
I have an account on a shared *nix server, and this code will be in a
subdomain (which is a subdirectory).
Do I go upward with "../../access.php" or do I start with "/" and figure out
where that actually is, then go downward?
|
In most UNIX-based shared hosts, if the web browser can see the file due
to OTHER permissions being set to READ, then potentially all users can
see that file.
If your web host allows unrestricted shell access, anyone access your
file by wandering around the filesystem. If your web host restricts
shell access (e.g. users get a chroot'ed or "jailed" shell that only
sees it's home directory), you should be OK from casual or script-kiddy
hackery.
If your web host doesn't use a ftp server that allows for jailed access,
the same problem applies. Another user connecting via ftp could change
their directory and wander through the entire filesystem. There are
lots of ftp servers with varying levels of security and accountability.
Ask your web hoster what they use. Or just connect to their ftp server
with a command-line client and see if you can cd to /. If you see the
whole filesystem when you list the directory, that's bad.
To answer your question specifically, I read an article some time ago by
a php developer that offered a very elegant solution to this problem.
He talks specifically about your problem:
LINK
Essentially, his idea is to include a protected file with SetEnv
directives in the Apache startup script that define variables to set the
MySQL database and password. The Apache startup script is run as root,
so you can put the included script with the directives in your home
directory outside your web server's DocumentRoot. And you can protect
it from being read by anyone but you. If you hardcode the mcrypt'ed
database name (to be unscrambled by the code) and you store the
mcrypt'ed password in the Apache's global variable array, you can use
$_SERVER{"someobscurereference"} to retrieve the cyphertext and decrypt
the password.
This won't stop someone else on the system from using phpinfo() to dump
the $_SERVER array, dumping your code, wandering through it to see how
to access your database, and gaining access to your database and
password. It will stop the casual hacker.
If you want to stop someone more dedicated, don't use a shared host.
Buy a virtual hosted environment where you are the admin of a virtual
box. You have to know how to admin such an enviroment or have someone
who can admin it for you. But it's harder to break into that sort of
environment.
--
DeeDee, don't press that button! DeeDee! NO! Dee...
[I filter all Goggle Groups posts, so any reply may be automatically by ignored] |
| |
| | | WalterGR | |
| | Posted: Fri Aug 22, 2008 11:30 pm Post subject: Re: how to hide db access? | |
On Aug 22, 3:41 pm, Michael Vilain <vil...@NOspamcop.net> wrote:
| Quote: | If you want to stop someone more dedicated, don't use a shared host.
Buy a virtual hosted environment where you are the admin of a virtual
box.
|
My shared hosting provider uses php-cgiwrap.[1] This causes PHP to
run under your account's credentials. You can then change the
permissions on the file with your database username and password so
that only your account can read the file.
One consequence of this is that your other files are potentially
visible if someone cracks your script, as PHP can then read files that
you have "read" permissions on, even if you have blocked "group" and
"other".
Walter
[1] LINK |
| |
| | | Jerry Stuckle | |
| | Posted: Fri Aug 22, 2008 11:54 pm Post subject: Re: how to hide db access? | |
| | | |
Michael Vilain wrote:
| Quote: | In article <g8mp0t$bcs$1@aioe.org>, Fred <Fred@notspam.not> wrote:
I have a file (access.php) with the db username and pwd, which I include in
every php file that needs db access. I'm not clear on how to set the path.
I have an account on a shared *nix server, and this code will be in a
subdomain (which is a subdirectory).
Do I go upward with "../../access.php" or do I start with "/" and figure out
where that actually is, then go downward?
In most UNIX-based shared hosts, if the web browser can see the file due
to OTHER permissions being set to READ, then potentially all users can
see that file.
|
Incorrect. PHP can be configured to allow the current virtual host
access to only its files. And ssh/ftp access restrict it at the host level.
| Quote: | If your web host allows unrestricted shell access, anyone access your
file by wandering around the filesystem. If your web host restricts
shell access (e.g. users get a chroot'ed or "jailed" shell that only
sees it's home directory), you should be OK from casual or script-kiddy
hackery.
|
Any host who does that deserves to go out of business.
| Quote: | If your web host doesn't use a ftp server that allows for jailed access,
the same problem applies. Another user connecting via ftp could change
their directory and wander through the entire filesystem. There are
lots of ftp servers with varying levels of security and accountability.
Ask your web hoster what they use. Or just connect to their ftp server
with a command-line client and see if you can cd to /. If you see the
whole filesystem when you list the directory, that's bad.
|
Ditto. It's too easy to limit both ssh and ftp access for a hosting
company NOT to do it. If I found my host did, I'd be gone in a couple
of nanoseconds.
| Quote: | To answer your question specifically, I read an article some time ago by
a php developer that offered a very elegant solution to this problem.
He talks specifically about your problem:
LINK
Essentially, his idea is to include a protected file with SetEnv
directives in the Apache startup script that define variables to set the
MySQL database and password. The Apache startup script is run as root,
so you can put the included script with the directives in your home
directory outside your web server's DocumentRoot. And you can protect
it from being read by anyone but you. If you hardcode the mcrypt'ed
database name (to be unscrambled by the code) and you store the
mcrypt'ed password in the Apache's global variable array, you can use
$_SERVER{"someobscurereference"} to retrieve the cyphertext and decrypt
the password.
|
Which is over 4 years old and COMPLETELY out of date. It wasn't even
current when it was written.
| Quote: | This won't stop someone else on the system from using phpinfo() to dump
the $_SERVER array, dumping your code, wandering through it to see how
to access your database, and gaining access to your database and
password. It will stop the casual hacker.
|
phpinfo() doesn't have that information. And they would have to be able
to put the file in your directory, which is impossible with proper security.
| Quote: | If you want to stop someone more dedicated, don't use a shared host.
Buy a virtual hosted environment where you are the admin of a virtual
box. You have to know how to admin such an enviroment or have someone
who can admin it for you. But it's harder to break into that sort of
environment.
|
Shared hosts are quite secure, if they are set up properly.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
================== |
| |
| | | RJ_32 | |
| | Posted: Mon Sep 01, 2008 8:59 pm Post subject: Re: how to hide db access? | |
| | | |
WalterGR wrote:
| Quote: | My shared hosting provider uses php-cgiwrap.[1] This causes PHP to
run under your account's credentials. You can then change the
permissions on the file with your database username and password so
that only your account can read the file.
|
my shared hosting uses FastCGI which also runs under my account (not as the
nobody account) so that's the same.
If I set perms to 400 as you say, then does this scheme provide JUST AS GOOD
protection as if I were to move the file (that has username and pwd in it) up
and out of the public_html hierarchy?
It's on a jail shell.
ALSO, how would anybody get at the info in the "access_php" file anyway? Let's
say that no steps are take to safeguard the database access info, like so:
access.php file in webroot:
<?php
$user = "username";
$pwd = "password";
?>
index.php file in webroot:
<?php
require "access.php";
mysql_connect('localhost', $user, $pwd) or die(mysql_error());
?>
Anybody can request access.php via their browser but they would get zero
output. How would anybody get at the db info?
| Quote: |
One consequence of this is that your other files are potentially
visible if someone cracks your script, as PHP can then read files that
you have "read" permissions on, even if you have blocked "group" and
"other".
Walter
[1] LINK |
|
| |
| | | RJ_32 | |
| | Posted: Mon Sep 01, 2008 11:17 pm Post subject: Re: how to hide db access? | |
Jerry Stuckle wrote:
| Quote: | What you have to worry about is not when things work correctly. It's
when there is a problem and things work incorrectly.
What if, for instance, due to a glitch in your web server, it suddenly
stopped parsing .php files for a short time? All of your code is now
visible.
|
I actually did see that happen to someone once, about a year ago. That's what
makes me interested in the topic.
| Quote: |
But more than that - just fetching the page gives a 200 OK response -
which will tell a hacker the file exists - and perhaps he can make use
of that information. Storing it outside of the web server's root does
not allow even that much access.
The safest way to prohibit access to files is to not store them in the
document root.
|
which would mean moving all of them, except those that contain includes. |
| |
| | | Jerry Stuckle | |
| | Posted: Mon Sep 01, 2008 11:19 pm Post subject: Re: how to hide db access? | |
| | | |
RJ_32 wrote:
| Quote: | Jerry Stuckle wrote:
What you have to worry about is not when things work correctly. It's
when there is a problem and things work incorrectly.
What if, for instance, due to a glitch in your web server, it suddenly
stopped parsing .php files for a short time? All of your code is now
visible.
I actually did see that happen to someone once, about a year ago. That's what
makes me interested in the topic.
But more than that - just fetching the page gives a 200 OK response -
which will tell a hacker the file exists - and perhaps he can make use
of that information. Storing it outside of the web server's root does
not allow even that much access.
The safest way to prohibit access to files is to not store them in the
document root.
which would mean moving all of them, except those that contain includes.
|
All of them which are not directly accessible as web pages, anyway.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
================== |
| |
| | | Guest | |
| | Posted: Tue Sep 02, 2008 8:17 am Post subject: | |
| | | |
Path: news.netfront.net!newsgate.cuhk.edu.hk!newshub.sdsu.edu!newsfeed.straub-nv.de!news.motzarella.org!motzarella.org!not-for-mail
From: Jerry Stuckle <jstucklex@attglobal.net>
Newsgroups: comp.lang.php
Subject: Re: how to hide db access?
Date: Mon, 01 Sep 2008 20:41:03 -0400
Organization: A noiseless patient Spider
Lines: 72
Message-ID: <g9i22q$n19$1@registered.motzarella.org>
References: <g8mp0t$bcs$1@aioe.org> <vilain-222716.15412622082008@comcast.dca.giganews.com> <f869655e-ce03-455f-b9be-87770089d3a7@1g2000pre.googlegroups.com> <g9hs4u$2d4$1@aioe.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Trace: feeder.motzarella.org U2FsdGVkX1+4UOCG5xTYIs8HzjvpwcUh5qJzoK3UH9jeyr2fM7CG6ePQz+3ZkHk0dwQ+7Dn9NWjywHEavXVCEfvgaQlTaDBpayQhNHL6aZTAJ09gd8SrrkdNGhCsz7eVOB7pVOU1AXA=
X-Complaints-To: Please send complaints to abuse@motzarella.org with full headers
NNTP-Posting-Date: Tue, 2 Sep 2008 00:40:58 +0000 (UTC)
In-Reply-To: <g9hs4u$2d4$1@aioe.org>
X-Auth-Sender: U2FsdGVkX18Gi6RhYorpBxnFdJG2mrxDeUlpHysrRlE2Z7YaAlrpAA==
Cancel-Lock: sha1:Dm8nvCChyGQgD4+SLyr1Tj3jHCM=
User-Agent: Thunderbird 2.0.0.16 (Windows/20080708)
Xref: news.netfront.net comp.lang.php:149203
RJ_32 wrote:
| Quote: | WalterGR wrote:
My shared hosting provider uses php-cgiwrap.[1] This causes PHP to
run under your account's credentials. You can then change the
permissions on the file with your database username and password so
that only your account can read the file.
my shared hosting uses FastCGI which also runs under my account (not as the
nobody account) so that's the same.
If I set perms to 400 as you say, then does this scheme provide JUST AS GOOD
protection as if I were to move the file (that has username and pwd in it) up
and out of the public_html hierarchy?
It's on a jail shell.
ALSO, how would anybody get at the info in the "access_php" file anyway? Let's
say that no steps are take to safeguard the database access info, like so:
access.php file in webroot:
?php
$user = "username";
$pwd = "password";
?
index.php file in webroot:
?php
require "access.php";
mysql_connect('localhost', $user, $pwd) or die(mysql_error());
?
Anybody can request access.php via their browser but they would get zero
output. How would anybody get at the db info?
One consequence of this is that your other files are potentially
visible if someone cracks your script, as PHP can then read files that
you have "read" permissions on, even if you have blocked "group" and
"other".
Walter
[1] LINK
|
What you have to worry about is not when things work correctly. It's
when there is a problem and things work incorrectly.
What if, for instance, due to a glitch in your web server, it suddenly
stopped parsing .php files for a short time? All of your code is now
visible.
But more than that - just fetching the page gives a 200 OK response -
which will tell a hacker the file exists - and perhaps he can make use
of that information. Storing it outside of the web server's root does
not allow even that much access.
The safest way to prohibit access to files is to not store them in the
document root.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
================== |
| |
|
|
