php-postgres-apache Security

php-postgres-apache Security

am 19.05.2002 13:43:55 von ameen eetemadi

I am writing php on a
server(OS:linux,WebServer:apache) that other users can
write cgi and have shell on it .
I want to connect to a postgres server in my php file
without asking username and password !
then I must write the username and password in this
file .
Then other users can read it and drop my database .

can I connect to the postgres through .php file
without a security bog?

__________________________________________________
Do You Yahoo!?
LAUNCH - Your Yahoo! Music Experience
http://launch.yahoo.com

---------------------------(end of broadcast)---------------------------
TIP 6: Have you searched our list archives?

http://archives.postgresql.org

Re: php-postgres-apache Security

am 19.05.2002 14:45:01 von Eckhard Hoeffner

* ameen eetemadi [19 05 02 13:43]:

>I am writing php on a
>server(OS:linux,WebServer:apache) that other users can
>write cgi and have shell on it .
>I want to connect to a postgres server in my php file
>without asking username and password !
>then I must write the username and password in this
>file .
>Then other users can read it and drop my database .
>
>can I connect to the postgres through .php file
>without a security bog?

I think there are two possible solutions:=20

I
As far as I know the php-scripts are running under the User-ID of
the web server, for example "www-data" if you are using Debian.=20

So you can do the following:=20
1. Create a directory: mkdir /*/file/.
2. Write a file which includes for example just:
$db =3D pg_connect("dbname=3Ddb user=3Duser host=3Dhost password=3Dpass");
?>

then: =3D> chmod to 400
=3D> chown to www-data

3. If you want to connect to the database, use in the php-script
require("/path/to/the/file/filename");

4. Make shure nobody else can get the user www-data.


II
You must limit the rights of the users for the db, for example make
shure, that you have something like

local all password
host public_db 127.0.0.1 255.255.255.0 password
local my_db reject
host my_db 192.168.1.12 255.255.255.0 crypt

=20


in your pg_hba.conf.



=20


--=20
--//--\\--
Eckhard Hoeffner
e-hoeffner@fifoost.org
Tal 44=20
D-80331 München

---------------------------(end of broadcast)---------------------------
TIP 6: Have you searched our list archives?

http://archives.postgresql.org