Security Basics mailing list archives

Re: Apache: limiting the execution place

From: "Tim Greer" <chatmaster () charter net>
Date: Wed, 18 Jun 2003 09:37:44 -0700




From: "exon" <exon () home se>
To: <security-basics () securityfocus com>
Sent: Wednesday, June 18, 2003 6:57 AM
Subject: Re: Apache: limiting the execution place

No misunderstanding from you, but sort of one for me. Sorry about that.

Still though, I can't quite see the reason for hindering other users to
see the script code.


perhaps they worked hard on the programming and don't want people lifting
the code, or they do store passwords, yes. perhaps plain text is a poor
method for a script, but even if encrypted, all someone has to do it use the
same script functions with that encrypted password to perhaps access a
database or interact with the other person's script in a harmful manner.
Assuming perhaps that all scripts run as the global web server user. I think
this is also more about users on a system--people you don't have control
over what they use or the like. Many users on web hosts use free scripts or
scripts that do contain plain text passwords. Files with data they don't
want others to see, but have to be acessible from a CGI or PHP script for
their ecommerce site to work, for example.

Only local users can read them in 'raw'
format.


Yes, and I think the OP's question was about how to prevent other local
users (on a web host, for example) from reading other client's files on the
same server.

Unless ofcourse there are some copyright issues here, or there are
'hardcoded' (as hardcoded as they get in scripts) plaintext passwords to
protect, in which case the scripts are flawed anyways. Passwords should
be stored encrypted in separate files.


They should be, but if the CGI or PHP script has to read it in, other users
can too, unless some type of method is implemented, such as is being
discussed in this topic.
--
Regards,
Tim Greer  chatmaster () charter net
Server administration, security, programming, consulting.


---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
          
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------

Current thread:

Apache: limiting the execution place Nebi Gurbanov (Jun 16)
- Re: Apache: limiting the execution place Chris Ess (Jun 16)
  - Re: Apache: limiting the execution place Boris Dragovic (Jun 16)
  - Re: Apache: limiting the execution place exon (Jun 17)
    - Re: Apache: limiting the execution place Jonas Acres (Jun 17)
    - Re: Apache: limiting the execution place exon (Jun 18)
    - Re: Apache: limiting the execution place Tim Greer (Jun 18)
    - Re: Apache: limiting the execution place Tim Greer (Jun 17)
- Re: Apache: limiting the execution place Tim Greer (Jun 16)
- Re: Apache: limiting the execution place Todd Troxell (Jun 20)