Protect my local DB

flying_guy

Hi,
I have an intranet site and 1 private directory under the document root.

I password-protected each php files in that directory by including a password authentication script in them.
The users can create or modify their account (password included) through my php pages.
I modify the users table (a flag) to give access for some of them to the private section.
I've set up appropriate file permissions to the private directory and sub-directories.
I've set up appropriate Apache permissions to the private directory and sub-directories.
I've protected my Mysql password by using SetEnv in my httpd.conf.

My issue is :
I have a public directory under the document root where I let users create their own html/php pages. Even if they don't know the password of the Mysql account I use in my php pages, any user can create a php file, use $_SERVER['SQL_PASS'] and modify my users table and then get access to the private section.

Anyone get an idea to prevent from this ? Thanks !

Foo

rename $_SERVER['SQL_PASS'] to something ridiculously long and unguessable?

bastien

create a limited user with basic rights (insert delete select update)that can connect from anywhere but not the users table

create a superuser that can only connect from your machine with a diff username and pass...

solved

flying_guy

Bastien, thanks but your solution would be fine if I maintained myself the users table but as I said, I let the users create or modify their account (password included) through my php pages, i.e the users table using a "superuser" account.

Foo, thanks, your solution is actually the only one I can see for the moment.

Anyone would get any better idea than Foo's one ?

bastien

Never, ever give the user that kind of ability. Its poor DB security. Best thing is to create another version of the users table and give them access to that with the llimited true user account.

That is how most web sites run their operations. The DBA creates a limited account as previously described and the users data is stored in that table...bacially you create a role that gets used by all the users, while your role is that of the DBA with superuser status...your application logic should take care of the users requirements for new passwords etc

Anybody with half a clue or less can then scramble the db, if they have the grant option and can give themselve superuser power. Your worry should not be "Can they see my secured site stuff?" but "Can they totally screw the DB?" And right now the answer is YES.

flying_guy

Right, I agree with you but I don't see what's under your "your application logic should take care of the users requirements for new passwords".

Please, let's consider the following :

user1 : basic rights, used by all the users in my php applications, cannot access to the users table,
user2 : user1 plus users table access,
superuser.

I use user2 to manually modify the users table to create new user accounts, give access for some of them to the private section and take care of the users requirements for new passwords.

Fine.

Next, I want to bluid a php application to manage the users table instead of me i.e users could create their own account and modify their password. I will continue to manage the flag that give access to the private section.

This application will use my user2 account...

I don't want any user to see my user2 password, so I use SetEnv in my httpd.conf to set my $_SERVER['SQL_PASS_USER_2'].

A malicious user create a php script under the intranet's public directory that use $_SERVER['SQL_PASS_USER_2'] (he knew I would use that name ;-) ) and give himself access to the private section or whatever.

What do you suggest ?...

rachel2004

Have you considered registering the following 2 items as $_SESSION variables:

username
access level

Then in your scripts (especially in the directory where you are having access control problems), do a check of these variables.

The logic should check:

Is a username and access level set?
Does acess level at least of medium (medium level being the ability to create a script) but less than high (which would have db access?

flying_guy

Yes, I've used $_SESSION variables to protect my php scripts that are in my private directory and it works fine :

If someone logs in, I query the DB to determine if the user does exist and if he has access to the private section. And I then indeed use $_SESSION variables to protect my php scripts.

But the problem is not here :

As I said before, this is an intranet site with a public directory where anyone can create his own php/html file.
And my concern is :
How can I prevent someone from using $_SERVER['SQL_PASS_USER_2'] in his php script to modify my users table that contains user passwords and private access flag.

bastien

I thought $_SERVER['varname'] really only looked for the headers, and did not have access to the script level variables...

am i wrong?

flying_guy

Well, $_SERVER['SQL_PASS_USER_2'] will here be defined in httpd.conf and used only in mysql_connect command in the php script that will update my users table.

Or, I could use a php file with :
define("SQL_PASS_USER_2", "secret_pwd");
and protect that file with .htaccess.

But how can I prevent someone from using this variable in his php script ?