Security Basics mailing list archives
Re: Apache: limiting the execution place
From: exon <exon () home se>
Date: Wed, 18 Jun 2003 15:57:39 +0200 (CEST)
No misunderstanding from you, but sort of one for me. Sorry about that. Still though, I can't quite see the reason for hindering other users to see the script code. Only local users can read them in 'raw' format. Unless ofcourse there are some copyright issues here, or there are 'hardcoded' (as hardcoded as they get in scripts) plaintext passwords to protect, in which case the scripts are flawed anyways. Passwords should be stored encrypted in separate files. /Andy PS. I was intrigued by this, so I'm currently working on a small app to add unix type password security to linux users. Gimme a holler if you're interested. On Tue, 17 Jun 2003, Jonas Acres wrote:
I apologize if I misunderstood anything here... I believe the idea is to protect the Defender's raw PHP/Perl/whatever code from the Attacker, who also has an account on the server. If Defender's public_html directory is world-readable, Attacker can SSH/telnet/whatever in and take it. If Defender's public_html directory is only readable by her and httpd, then the only way to the file is through the web server. The web server won't ever send out raw code if it's set-up properly -- it'll parse the code, and send out the HTML output. So going through the web server is useless to Attacker. Jonas On 2003-06-17 02:16, "exon" <exon () home se> wrote:I don't quite see the point, or I've misunderstood what you're asking for. Do you want to block local users from seeing what global users can? What hinders the local users from getting it anyway through the webserver instead? /Andy
--------------------------------------------------------------------------- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ----------------------------------------------------------------------------
Current thread:
- Apache: limiting the execution place Nebi Gurbanov (Jun 16)
- Re: Apache: limiting the execution place Chris Ess (Jun 16)
- Re: Apache: limiting the execution place Boris Dragovic (Jun 16)
- Re: Apache: limiting the execution place exon (Jun 17)
- Re: Apache: limiting the execution place Jonas Acres (Jun 17)
- Re: Apache: limiting the execution place exon (Jun 18)
- Re: Apache: limiting the execution place Tim Greer (Jun 18)
- Re: Apache: limiting the execution place Tim Greer (Jun 17)
- Re: Apache: limiting the execution place Chris Ess (Jun 16)