permissions?

Hi
I have the following problem: I want to grant different access rights
to different users on a page, identified by username/password. I want
to load the set of users/passwords from a database, from a file, or
whereever. This is more or less OK: outside users connecting via the
web can sent their username/password ($_POST variable), the script
checks it agains the users/passwords in the database, and grants
different access rights according to the username.
However, this is not safe against local users of the same machine:
since the php script of every local user runs under the same uid/gid,
every user can access the same database using a php script. One could
argue, that they can not figure out, how to access this database
(where it is located, if it requires a password, etc). But since my
php script must be readable by the www server (user=wwwrun), they can
read this script from a php script, which runs under the same uid.

I have found some articles about setting up different vhosts in
apache, and running these vhosts with different UID. But this needs
apache-configuration, as root. Is there a per-user way, which any user
can follow without the intervention of root, to set up a database,
which is only accessible by his php scripts?

Thank you
Daniel

re: permissions?

kkk333@freemail.hu (Daniel Barna) wrote in message news:<468adf60.0409191417.3a8c7552@posting.google. com>...[color=blue]
> Hi
> I have the following problem: I want to grant different access rights
> to different users on a page, identified by username/password. I want
> to load the set of users/passwords from a database, from a file, or
> whereever. This is more or less OK: outside users connecting via the
> web can sent their username/password ($_POST variable), the script
> checks it agains the users/passwords in the database, and grants
> different access rights according to the username.
> However, this is not safe against local users of the same machine:
> since the php script of every local user runs under the same uid/gid,
> every user can access the same database using a php script. One could
> argue, that they can not figure out, how to access this database
> (where it is located, if it requires a password, etc). But since my
> php script must be readable by the www server (user=wwwrun), they can
> read this script from a php script, which runs under the same uid.[/color]

If the users use only database resource, how about just use database's
built-in security system?
[color=blue]
>
> I have found some articles about setting up different vhosts in
> apache, and running these vhosts with different UID. But this needs
> apache-configuration, as root. Is there a per-user way, which any user
> can follow without the intervention of root, to set up a database,
> which is only accessible by his php scripts?[/color]

don't forget vhost can't be set without restarting apache... Besides,
only root can change his own uid (unless you use nt), so that any
system-level methods can't work for you.

re: permissions?

aquila_deus@yahoo.co.uk (Aquila Deus) wrote in message news:<c5cfac8f.0409202307.58d7ea88@posting.google. com>...[color=blue]
> kkk333@freemail.hu (Daniel Barna) wrote in message news:<468adf60.0409191417.3a8c7552@posting.google. com>...
>
> If the users use only database resource, how about just use database's
> built-in security system?
>[/color]

Hi,
I tried to play with mysql: set up a password for the database.
However, then I have to store this password somewhere: either in the
php script itself, or in a file, or whereever. But again, all other
users on the same machine can do the same: they can copy my script
file with the hardcoded password in it, or read the file containing
this password. I can't do these files (the script, or the one
containing the pw) unreadable by wwwrun, because then the php
interpreter itself could not read them. It means, that even if the
file permissions are set up in a way that other users can not directly
read it, they can write a php script, which will run under the user
wwwrun, and read these from their php script.

Another solution is to not store the password anywhere, but ask it
from my users via the _POST variable. But this is painful.

So the problem in general: whatever I do, all other users can also do,
since my and their php scripts run under the same uid.

Did I miss something? Are there better solutions?

Thanks
Daniel

re: permissions?

kkk333@freemail.hu (Daniel Barna) wrote in message news:<468adf60.0409211009.1eedc2f5@posting.google. com>...[color=blue]
> aquila_deus@yahoo.co.uk (Aquila Deus) wrote in message news:<c5cfac8f.0409202307.58d7ea88@posting.google. com>...[color=green]
> > kkk333@freemail.hu (Daniel Barna) wrote in message news:<468adf60.0409191417.3a8c7552@posting.google. com>...
> >
> > If the users use only database resource, how about just use database's
> > built-in security system?
> >[/color]
>
> Hi,
> I tried to play with mysql: set up a password for the database.
> However, then I have to store this password somewhere: either in the
> php script itself, or in a file, or whereever. But again, all other
> users on the same machine can do the same: they can copy my script
> file with the hardcoded password in it, or read the file containing
> this password. I can't do these files (the script, or the one
> containing the pw) unreadable by wwwrun, because then the php
> interpreter itself could not read them. It means, that even if the
> file permissions are set up in a way that other users can not directly
> read it, they can write a php script, which will run under the user
> wwwrun, and read these from their php script.
>
> Another solution is to not store the password anywhere, but ask it
> from my users via the _POST variable. But this is painful.
>
> So the problem in general: whatever I do, all other users can also do,
> since my and their php scripts run under the same uid.
>
> Did I miss something? Are there better solutions?[/color]

You can encode the password by md5 or other one-way hash function, so
that it would be safe even if somebody opens it. But the users would
not be able to restore password if they forget it (however you could
empty password and generate a new one for them).

Otherwise, as I wrote previously, use database's security system.
Databases such as MySQL have its own method to manage user
permissions. Instead of checking username/password in php, you could
create user accounts in mysql, then call mysql to check it.

re: permissions?

> You can encode the password by md5 or other one-way hash function, so[color=blue]
> that it would be safe even if somebody opens it. But the users would
> not be able to restore password if they forget it (however you could
> empty password and generate a new one for them).
>
> Otherwise, as I wrote previously, use database's security system.
> Databases such as MySQL have its own method to manage user
> permissions. Instead of checking username/password in php, you could
> create user accounts in mysql, then call mysql to check it.[/color]

I am afraid I miss some basic knowledge. Up to now I used mysql from
php as follows:

$dbid = mysql_connect("hostname","username","password");

After this MySQL knows, what rights I have, and does not let me
access/modify/whatever those databases, to which I have no permission.
Is this what you meant by letting MySQL manage usernames and
passwords?
But now username and password is hardcoded in my php script, which is
readable by wwwrun, so any other local users (on the machine) can also
read my script, so they will have the same rights as I have. Even if I
don't hardcode username and password in the php script, but store in a
file, say, this file must be readable by wwwrun, so again, any other
users of the machine, who have right to run php scripts, will be able
to read my file containing the username and password.

So what is the solution to grant acces to files/databases only from
those php scripts, which are OWNED by user1, and deny access for php
scripts OWNED by any other users?

Thanks
Daniel

re: permissions?

In article <468adf60.0410170458.36f49fbc@posting.google.com >,
kkk333@freemail.hu (Daniel Barna) wrote:
[color=blue][color=green]
> > You can encode the password by md5 or other one-way hash function, so
> > that it would be safe even if somebody opens it. But the users would
> > not be able to restore password if they forget it (however you could
> > empty password and generate a new one for them).
> >
> > Otherwise, as I wrote previously, use database's security system.
> > Databases such as MySQL have its own method to manage user
> > permissions. Instead of checking username/password in php, you could
> > create user accounts in mysql, then call mysql to check it.[/color]
>
> I am afraid I miss some basic knowledge. Up to now I used mysql from
> php as follows:
>
> $dbid = mysql_connect("hostname","username","password");
>
> After this MySQL knows, what rights I have, and does not let me
> access/modify/whatever those databases, to which I have no permission.
> Is this what you meant by letting MySQL manage usernames and
> passwords?
> But now username and password is hardcoded in my php script, which is
> readable by wwwrun, so any other local users (on the machine) can also
> read my script, so they will have the same rights as I have. Even if I
> don't hardcode username and password in the php script, but store in a
> file, say, this file must be readable by wwwrun, so again, any other
> users of the machine, who have right to run php scripts, will be able
> to read my file containing the username and password.
>
> So what is the solution to grant acces to files/databases only from
> those php scripts, which are OWNED by user1, and deny access for php
> scripts OWNED by any other users?
>
> Thanks
> Daniel[/color]

Read this article:

http://shiflett.org/articles/security-corner-mar2004

--
DeeDee, don't press that button! DeeDee! NO! Dee...