Re: php-postgres-apache Security

* ameen eetemadi <ameen78101(at)yahoo(dot)com> [19 05 02 13:43]:

>I am writing php on a
>server(OS:linux,WebServer:apache) that other users can
>write cgi and have shell on it .
>I want to connect to a postgres server in my php file
>without asking username and password !
>then I must write the username and password in this
>file .
>Then other users can read it and drop my database .
>
>can I connect to the postgres through .php file
>without a security bog?

I think there are two possible solutions:

I
As far as I know the php-scripts are running under the User-ID of
the web server, for example "www-data" if you are using Debian.

So you can do the following:
1. Create a directory: mkdir /*/file/.
2. Write a file which includes for example just:
<?php
$db = pg_connect("dbname=db user=user host=host password=pass");
?>

then: => chmod to 400
=> chown to www-data

3. If you want to connect to the database, use in the php-script
require("/path/to/the/file/filename");

4. Make shure nobody else can get the user www-data.

II
You must limit the rights of the users for the db, for example make
shure, that you have something like

local all password
host public_db 127.0.0.1 255.255.255.0 password
local my_db reject
host my_db 192.168.1.12 255.255.255.0 crypt

in your pg_hba.conf.

--
--//--\\--
Eckhard Hoeffner
e-hoeffner(at)fifoost(dot)org
Tal 44
D-80331 München