Menu
▾
▴
Re: [Phpwiki-talk] solution to admin.php problem
|
From: Arno H. <aho...@xm...> - 2001-02-08 09:03:06
|
> Don't fix admin.php until you found a fix for config.php -- gives a fal= se > sense of security. Following up on my own email: I remembered that phorum has quite a good=20 description of how to securely install their app. Taken from their security.txt: If you want to run Phorum on a shared server, you absolutely need to wrap the scripts... unless, of course, your provider makes all of your scripts run as your userid. [...] What "wrapping" means is to have the .php scripts executed under your userid instead of the web server's default "nobody". This is because, no matter how well you hide the script (e.g. in a directory that's chmod 711), any user on your server could create a script that is run as "nobody" by the web server which could [read] your config files. This is especially bad on a shared server because the config file could also give the user access to your database passwords which, in many cases= , will let them mess with more than just your Phorum tables. On a shared server, your provider should be "providing" you with a secure and PHP-friendly script wrapper. If they are not, you should either not run scripts like Phorum that read/write files that include passwords or you should move to another provider. Bottom line: there's no way to secure config.php on a shared server if th= e=20 web server runs as nobody. /Arno |
