We have a large number of fairly technical users, some of which might be troublemakers.
We wish to give secure(ish) database access to PHP scripts they write.
For this reason, we have them log into the database using our own set of includable PHP libraries. Users are not to be allowed to connect to the database directly, nor know their database passwords, nor use database accessing functions. So those passwords need to be hidden.
The same applies to the remote-exec libs, which use SSH to remotely execute scripts in restricted shells on remote machines: these too have passwords, which are similarly in need of protection.
By necessity, the libraries also contain various other pieces of information that is also sensitive, proprietary, confidential, or restricted for some reason or another.
But there's a problem. They could, using their scripts, display the library files through the website.
To work around this, we've done the following:
1) Prevented certain commands (php_info, get_included_files, get_include_path, ini_get etc) that will give information about includes.
2) Given them a chroot shell when they log in through ssh, to which the libraries, and the /etc/php.ini are invisible. The scripts will only work when run by the apache process.
3) Put the libraries in a directory within a readonly directory, like /usr/lib/readonly/php_libs, so that the directory cannot be found by any script that works by traversing the tree from the root directory, and adding that directory to the include path.
4) Giving the users a list of library names they can include, without paths.
5) Limited the directories the script can read from to the library directory, and /home, so that they can't read php.ini directly
My question is: is there a better (gentler, less nazi-admin) way to prevent users seeing the contents of the libraries they are using?
