My rant about unix home directories
Available news archives: comp.lang.tcl - comp.lang.python - comp.security.firewalls - sci.crypt - comp.lang.php - comp.lang.javascript
Google
 
Web news.hping.org


comp.lang.php archive

My rant about unix home directories

From: Jamie <nospam@geniegate.com>
Date: Sat Apr 29 2006 - 12:20:10 CEST



Hello Newsgroup:



This is my little rant about security and why we have home directories. 



You may choose to ignore it or disagree with it, that is your perogative


and I won't care, but... this little rant needs to be said in the 21'st


century, as we seem to have forgotten about it.



Many PHP packages and cgi scripts ask you to store database settings


and passwords in web space.



Of course, it's secure, so long as configuration files are given


a [.php|.cgi] extension, right?



Wrong.



I think most of us have seen misconfigured web servers that send the 


contents of PHP files rather then running them through an interpreter


at some point. A .php extension does not give a configuration file


security. I've seen this happen many times as I'm sure anyone here has.



Time was, all the CGI programming FAQ's would warn you about this, they would


tell you, always make sure passwords and critical pieces of information are


kept safely outside web space. This "old timer" advice still applies.



The general rule was, if you don't want it sent to the browser, don't put it on


the web server. (meaning, in "web space")



Don't protect something with an .htaccess file.



Don't protect something with a .php|.cgi or .whatever



Just don't put critical bits of data on the web server. (unless you


have no choice) 



But.. not any more, we've forgotten this ancient advice.



We now routinely ask people to edit some sort of .php file for database


settings and save it in the same directory as the script running it. It's


common practice, heck I've done it a few times.... From what I gather,


PHP's so called "safe mode" (isn't that a kick in the teeth) demands 


you do this.



It's convenient, it's what users have come to expect.



But... it is not secure.



We have home directories for this sort of thing and just I wish we'd get back


to the old practice of using them for their intended purpose before ISP's start


making a persons home directory the same as the web directory.



There. rant over. Sorry.. had to say it, I don't expect anyone to actually


listen to it or anything, people seldom do. 



You may go back to storing all your critical database settings in web space


now. :-)



Jamie



-- 
http://www.geniegate.com                    Custom web programming
guhzo_42@lnubb.pbz (rot13)                User Management Solutions


Received on Mon May  1 03:07:19 2006