[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-security] PHP, mySQL passwords, and Safe_Mode on a RaQ 4R
- Subject: [cobalt-security] PHP, mySQL passwords, and Safe_Mode on a RaQ 4R
- From: "Michelle A. Hoyle" <mahlist@xxxxxxxxxxxxx>
- Date: Wed, 22 May 2002 21:05:04 +0100
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
I'm running PHP 4.1.2 (yes, I know 4.2.1 is now out) on a Cobalt RaQ
4 with mySQL. I've been whacking my head against a brick wall for
the last year, trying to come up with a better way to store the mySQL
connection information. When safe mode became available and I
understood what it was supposed to do, I hoped that I could make my
connection configuration files read-only for the owner of the PHP
scripts, but that doesn't seem to be working. I get things like:
Fatal error: Failed opening required './config.inc.php'
(include_path='') in /home/sites/home/web/bleah/main.php on line 12
The config.inc.php file is being requested via an include or require
(which are supposed to be safe-mode compatible) within the PHP
scripts which are owned by the same user as the main.php script. As
soon as I make it so that the httpd daemon (i.e. everybody in the
world who has shell access to the server -- not that there are big
whacks of such people, but it's a hole and it annoys me) has access
by changing the file to be world-readable, it works fine.
This is counterintuitive to my understanding of how this should work.
I did a search of the archives and discovered somebody mentioning
that they do something to automagically compile in the passwords,
but when Carrie asked for details, none were forthcoming. Has anyone
else successfully figured out how to do this on their RaQ or am I
just being stupid and missing some php.ini configuration directive
that's necessary?
Thanks,
Michelle