Re: php-postgres-apache Security

* ameen eetemadi <ameen78101@yahoo.com> [19 05 02 13:43]:

>I am writing php on a
>server(OS:linux,WebServer:apache) that other users can
>write cgi and have shell on it .
>I want to connect to a postgres server in my php file
>without asking username and password !
>then I must write the username and password in this
>file .
>Then other users can read it and drop my database .
>
>can I connect to the postgres through .php file
>without a security bog?

I think there are two possible solutions:

I
As far as I know the php-scripts are running under the User-ID of
the web server, for example "www-data" if you are using Debian.

So you can do the following:
1. Create a directory: mkdir /*/file/.
2. Write a file which includes for example just:
  <?php
  $db = pg_connect("dbname=db user=user host=host password=pass");
  ?>

  then: => chmod to 400
        => chown to www-data

3. If you want to connect to the database, use in the php-script
   require("/path/to/the/file/filename");

4. Make shure nobody else can get the user www-data.


II
You must limit the rights of the users for the db, for example make
shure, that you have something like

local  all                                password
host   public_db  127.0.0.1     255.255.255.0  password
local  my_db                                   reject
host   my_db       192.168.1.12 255.255.255.0  crypt




in your pg_hba.conf.






--
--//--\\--
Eckhard Hoeffner
e-hoeffner@fifoost.org
Tal 44
D-80331 München