|
|
Posted by Chuck Anderson on 08/08/06 04:54
Jesper H. wrote:
> On 2006-08-07, Chuck Anderson wrote:
>
>> 1. Is there another way that I can set the include path globally for
>> my site? (Adding them to htaccess throws a 500 server error.)
>>
>
> Like this?
>
> php_value include_path "whatever"
>
Yep.
> If it doesn't work, then a vague part of my memory says that Apaches
> AllowOverride directive might be the problem. Unfortunately I don't
> remember the minimal setting needed for php_value and such to work. You
> would need to contact the admins to have it changed.
>
I do not know what the issue is, but my host admin says it is not
possible with Php5.1 (?).
>
>> 2. How much security is really gained by moving sensitive include
>> files out of the site path (my include files all use the .php
>> extension)? Should I even be that concerned about this capability?
>>
>
> The only potential risk I can see is if the admins accidently disable
> PHP processing, e.g. while updating some configuration files. So I'd say
> it depends on how competent and alert the admins are. Still, even with
> good admins, I'd better be safe than sorry.
>
That's the way I feel, too.
>
>> 3. Would I gain the same security if I changed my current include
>> files (which I would have to put back into the public site path) to do
>> nothing but set include_path outside the public site and then include
>> a new, secondary file which actually contains the sensitive data?
>>
>
> As far as I can tell, it would give you almost the same security. Again
> the only potential problem I can see is accidently disabling PHP which
> you let your users see the filenames you're including. Then they'd have
> a more accurate idea of where to look, in the non public parts of the
> server.
That's how I see it, but I want to be sure I'm not missing something. It
seems like the easiest "fix."
> But at least now they'd have to somehow get local access, as
> well as overriding the permissions that prevent users from peeking at
> each others files (.. you do have permissions set like that, right?).
>
I've left most directory/file attributes at defaults, so you've prompted
me to play around and see if I can set these important folders to 700.
Everything still seems to still work, so thanks for that.
--
*****************************
Chuck Anderson • Boulder, CO
http://www.CycleTourist.com
*****************************
Navigation:
[Reply to this message]
|