Clarification about permissions and security of a php program

davidj56

Hi,

Requesting a clarification about permissions and security of a
php program.

One thing I noticed in order to run the php program (on a linux server) I
need to set the read permission for Other.

In this program I'll have the MySQL credentials defined.

Are there are any security concerns when the read permission
is set on other i.e.; isn't it possible to write a program to
remotely read the contents of the file.

Wouldn't it be better if the permission was set for
user only and the php engine could run the program as user as the case is with cgi using suEXEC.

Also lets assume the installation is on a virtual host and the installer does not have root access
to change group permissions on subfolders under document root.

Thank-you in advance
David J.

laserlight

Are there are any security concerns when the read permission
is set on other i.e.; isn't it possible to write a program to
remotely read the contents of the file.

A bug in a server program listening over the network could allow this to happen (and it has happened before, even to Apache, if I remember correctly). Other than that, no, the web server would only serve the interpreted PHP scripts, not the PHP source code.

In this program I'll have the MySQL credentials defined.

However, if the web server does not invoke the PHP interpreter for some reason, the PHP source code will be served. Consequently, you should keep your database credentials in a file outside of the document root, so the web server will not serve it at all. You would then include this file in your relevant PHP script.

I am afraid I am not a security expert though, so for more information I have to refer you to the PHP manual's section on security.

davidj56

Hi,

Thank-you for a very good answer.

Which leads to another newbie question:

If I need to include a file outside document root; won't I have to define the full unix path to the the include file which has the mysql credentials.

Thanks in advance
David J.

laserlight

If I need to include a file outside document root; won't I have to define the full unix path to the the include file which has the mysql credentials.

A relative path will do.

davidj56

Hi,

Thank-you Laserlight

I just tried it wrt the cgi-bin since its not under Document Root ( at least in this case) and its ScriptAlias in the apache configuration file

eg.
<?php

include "/cgi-bin/testpath.php";

<html>
<body>
<h1> hello world </h1>
</body>
<html>

It didn't work. testpath.php has "goodbye world" but instead only hello world came up.

I also tried it on a directory which has Alias to document root and that didn't work also.

eg Alias /stats /pathto.../stats

Thanks
David J.

laserlight

/cgi-bin/testpath.php is an absolute path.

davidj56

Hi,

Could you show me an example of what you mean by a relative path wrt a folder not under document root.

eg. /www/..../htdocs - document root

and

/www/..../cgi-bin or /www/..../myphpfilesnotunderdocumentroot and both are parallel to the document root.

How do I get the php program under document root to read the file from cgi-bin or mphpfilesnotunderdocumentroot

Thanks
David J.

laserlight

For example:

include '../../mysql.login.conf';

Of course, you may wish to make it relative to document root, e.g.,

include $_SERVER['DOCUMENT_ROOT'] . '../../mysql.login.conf';

davidj56

Hi,

Thank-you. It worked.

Just to summarize; as you stated by putting the mysql credentials in a file in a folder not under document root but accessed by a relative path and though it has the read permission set on other and supposing that all server programs like apache are properly installed any attempt to grab the contents of the file would only render the php results.

Thanks
David J.