Basic security question

deko wrote:

If I have scripts located in public_html, can anyone download them and see
the code? For example, if I have an authentication script with code that
I don't want anyone to see, is it safe in public_html?

Anybody whom can get code to run on the webserver can see the source by
writing a suitable script (e.g. '<?php print
file_get_contents('/home/user/public_html/private.php'; ?> )

If they can't get code onto the server, they can't see the source unless you
make it visible.

C.

> > If I have scripts located in public_html, can anyone download them and
see

the code? For example, if I have an authentication script with code that I don't want anyone to see, is it safe in public_html?
Anybody whom can get code to run on the webserver can see the source by
writing a suitable script (e.g. '<?php print
file_get_contents('/home/user/public_html/private.php'; ?> )

If they can't get code onto the server, they can't see the source unless

you make it visible.

So it sounds like if my host is doing it's job, I should be okay. But what
about in a shared environment? I assume my host has some kind of security
in place to keep other accounts out of my disk space.

"deko" <de**@hotmail.com> writes:

So it sounds like if my host is doing it's job, I should be okay.
But what about in a shared environment? I assume my host has some
kind of security in place to keep other accounts out of my disk
space.

Best you don't assume anything. Ask your hosting company about
security against other developers on the same site being able to
access your scripts.

If you have shell access to this box, dig around yourself to see
what's possible from another developer's perspective. Can you see the
other guys' code? If so, they can very likely see yours.

Though you may have FTP access that's setup to put you in a chrooted
environment, you'd be surprised what can be learned by writing scripts
to do the "looking" around and then running them.

Want to learn who's on this box? Write a script to 'ls /home'. See
something of interest? Write a script to 'find /home/foo'.

Might work, might not. If you are very concerned about security, all
of this needs to be explored.

From an old time security buster...

--
-------------------------------------------------------------------------------
Jerry Sievers 305 854-3001 (home) WWW ECommerce Consultant
305 321-1144 (mobile http://www.JerrySievers.com/

In article <Va****************@newssvr21.news.prodigy.com>,
"deko" <de**@hotmail.com> wrote:

So it sounds like if my host is doing it's job, I should be okay. But what
about in a shared environment? I assume my host has some kind of security
in place to keep other accounts out of my disk space.

One of the security issues with php is in a shared environment. The web
server has to have read access to the scripts and images, so commonly
they're owned by the user but given 644 permissions. SO, another user
with a shell account can read your files. Don't put passwords in them.

The only way you can protect against this is to restrict permissions on
your files to 600 and use something like CGIwrap (google for it) to run
scripts as your UID. I did this with my perl scripts and it works just
fine.

Read http://shiflett.org/articles/security-corner-mar2004 for more info.

--
DeeDee, don't press that button! DeeDee! NO! Dee...

<?php echo `whoami`; ?>

That will tell you what user apache is running as. Thought that might
help...

Notice those are backticks `` and not single quotes ''.

-JI