* ameen eetemadi <ameen78101@yahoo.com> [19 05 02 13:43]:
>I am writing php on a
>server(OS:linux,WebServer:apache) that other users can
>write cgi and have shell on it .
>I want to connect to a postgres server in my php file
>without asking username and password !
>then I must write the username and password in this
>file .
>Then other users can read it and drop my database .
>
>can I connect to the postgres through .php file
>without a security bog?
I think there are two possible solutions:
I
As far as I know the php-scripts are running under the User-ID of
the web server, for example "www-data" if you are using Debian.
So you can do the following:
1. Create a directory: mkdir /*/file/.
2. Write a file which includes for example just:
<?php
$db = pg_connect("dbname=db user=user host=host password=pass");
?>
then: => chmod to 400
=> chown to www-data
3. If you want to connect to the database, use in the php-script
require("/path/to/the/file/filename");
4. Make shure nobody else can get the user www-data.
II
You must limit the rights of the users for the db, for example make
shure, that you have something like
local all password
host public_db 127.0.0.1 255.255.255.0 password
local my_db reject
host my_db 192.168.1.12 255.255.255.0 crypt
in your pg_hba.conf.
--
--//--\\--
Eckhard Hoeffner
e-hoeffner@fifoost.org
Tal 44
D-80331 München
