On Mon, Jan 01, 2001 at 11:55:28PM -0800, Jeff Davis wrote: > I am setting up a server on which many users will have apache > virtualhosts (with suexec). I have PHP set up as a module (and CGI). > However, if someone uses PHP for database connections (who doesn't) then > they must have the login info for the DB in a file readable by the user > apache runs as by default. This means that any user on the system could > look at your PHP scripts and get your password and login to the DB and > drop your tables. Am I missing something? No, you got it. You can also include() several config Files (/etc/passwd).
> Do I have to run CGIs for any > security at all? I know a million people use PHP as a module, and they > don't seem to mind... could someone fill me in on the best direction I > could be going in? We discussed that on the german php ML a few days ago and the result was that the only way to secure php on a shared Server is to set up a chroot enviroment with php as cgi and suexec. When you want to avoid that people from the outside can connect to your DB Server run it on a secont Server with a internal IP. Cu, Sven -- Sven Hoexter Earth - Germany - Leverkusen e-mail: [EMAIL PROTECTED] One Unix to rule them all, One Resolver to find them, One IP to bring them all and in the zone to bind them
