Reply to My rant about unix home directories

Your name:

Reply:


Posted by Jamie on 04/29/06 13:20

Hello Newsgroup:

This is my little rant about security and why we have home directories.

You may choose to ignore it or disagree with it, that is your perogative
and I won't care, but... this little rant needs to be said in the 21'st
century, as we seem to have forgotten about it.

Many PHP packages and cgi scripts ask you to store database settings
and passwords in web space.

Of course, it's secure, so long as configuration files are given
a [.php|.cgi] extension, right?

Wrong.

I think most of us have seen misconfigured web servers that send the
contents of PHP files rather then running them through an interpreter
at some point. A .php extension does not give a configuration file
security. I've seen this happen many times as I'm sure anyone here has.

Time was, all the CGI programming FAQ's would warn you about this, they would
tell you, always make sure passwords and critical pieces of information are
kept safely outside web space. This "old timer" advice still applies.

The general rule was, if you don't want it sent to the browser, don't put it on
the web server. (meaning, in "web space")

Don't protect something with an .htaccess file.

Don't protect something with a .php|.cgi or .whatever

Just don't put critical bits of data on the web server. (unless you
have no choice)

But.. not any more, we've forgotten this ancient advice.

We now routinely ask people to edit some sort of .php file for database
settings and save it in the same directory as the script running it. It's
common practice, heck I've done it a few times.... From what I gather,
PHP's so called "safe mode" (isn't that a kick in the teeth) demands
you do this.

It's convenient, it's what users have come to expect.

But... it is not secure.

We have home directories for this sort of thing and just I wish we'd get back
to the old practice of using them for their intended purpose before ISP's start
making a persons home directory the same as the web directory.

There. rant over. Sorry.. had to say it, I don't expect anyone to actually
listen to it or anything, people seldom do.

You may go back to storing all your critical database settings in web space
now. :-)

Jamie
--
http://www.geniegate.com Custom web programming
guhzo_42@lnubb.pbz (rot13) User Management Solutions

[Back to original message]
Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация