Reply to Re: My rant about unix home directories

Your name:

Reply:


Posted by David Haynes on 04/29/06 13:44

Jamie wrote:
> Hello Newsgroup:
>
> This is my little rant about security and why we have home directories.
>
> You may choose to ignore it or disagree with it, that is your perogative
> and I won't care, but... this little rant needs to be said in the 21'st
> century, as we seem to have forgotten about it.
>
> Many PHP packages and cgi scripts ask you to store database settings
> and passwords in web space.
>
> Of course, it's secure, so long as configuration files are given
> a [.php|.cgi] extension, right?
>
> Wrong.
>
> I think most of us have seen misconfigured web servers that send the
> contents of PHP files rather then running them through an interpreter
> at some point. A .php extension does not give a configuration file
> security. I've seen this happen many times as I'm sure anyone here has.
>
> Time was, all the CGI programming FAQ's would warn you about this, they would
> tell you, always make sure passwords and critical pieces of information are
> kept safely outside web space. This "old timer" advice still applies.
>
> The general rule was, if you don't want it sent to the browser, don't put it on
> the web server. (meaning, in "web space")
>
> Don't protect something with an .htaccess file.
>
> Don't protect something with a .php|.cgi or .whatever
>
> Just don't put critical bits of data on the web server. (unless you
> have no choice)
>
> But.. not any more, we've forgotten this ancient advice.
>
> We now routinely ask people to edit some sort of .php file for database
> settings and save it in the same directory as the script running it. It's
> common practice, heck I've done it a few times.... From what I gather,
> PHP's so called "safe mode" (isn't that a kick in the teeth) demands
> you do this.
>
> It's convenient, it's what users have come to expect.
>
> But... it is not secure.
>
> We have home directories for this sort of thing and just I wish we'd get back
> to the old practice of using them for their intended purpose before ISP's start
> making a persons home directory the same as the web directory.
>
> There. rant over. Sorry.. had to say it, I don't expect anyone to actually
> listen to it or anything, people seldom do.
>
> You may go back to storing all your critical database settings in web space
> now. :-)
>
> Jamie

Three thoughts occurred to me when reading this:
1. How is this specific to Unix and/or home directories? It seems more
about keeping private data in the web server space.
2. Why not keep most of your private data in a database? That is not
within the web server space but can be accessed as needed.
3. If you need to store private data within the web server space, why
not encrypt it first?

-david-

[Back to original message]
Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация