Hi
I have the following problem: I want to grant different access rights
to different users on a page, identified by username/password. I want
to load the set of users/passwords from a database, from a file, or
whereever. This is more or less OK: outside users connecting via the
web can sent their username/password ($_POST variable), the script
checks it agains the users/passwords in the database, and grants
different access rights according to the username.
However, this is not safe against local users of the same machine:
since the php script of every local user runs under the same uid/gid,
every user can access the same database using a php script. One could
argue, that they can not figure out, how to access this database
(where it is located, if it requires a password, etc). But since my
php script must be readable by the www server (user=wwwrun), they can
read this script from a php script, which runs under the same uid.
I have found some articles about setting up different vhosts in
apache, and running these vhosts with different UID. But this needs
apache-configuration, as root. Is there a per-user way, which any user
can follow without the intervention of root, to set up a database,
which is only accessible by his php scripts?
Thank you
Daniel
5  1981  kk****@freemail.hu (Daniel Barna) wrote in message news:<46**************************@posting.google. com>... Hi
I have the following problem: I want to grant different access rights
to different users on a page, identified by username/password. I want
to load the set of users/passwords from a database, from a file, or
whereever. This is more or less OK: outside users connecting via the
web can sent their username/password ($_POST variable), the script
checks it agains the users/passwords in the database, and grants
different access rights according to the username.
However, this is not safe against local users of the same machine:
since the php script of every local user runs under the same uid/gid,
every user can access the same database using a php script. One could
argue, that they can not figure out, how to access this database
(where it is located, if it requires a password, etc). But since my
php script must be readable by the www server (user=wwwrun), they can
read this script from a php script, which runs under the same uid.
If the users use only database resource, how about just use database's
built-in security system?
I have found some articles about setting up different vhosts in
apache, and running these vhosts with different UID. But this needs
apache-configuration, as root. Is there a per-user way, which any user
can follow without the intervention of root, to set up a database,
which is only accessible by his php scripts?
don't forget vhost can't be set without restarting apache... Besides,
only root can change his own uid (unless you use nt), so that any
system-level methods can't work for you. aq*********@yahoo.co.uk (Aquila Deus) wrote in message news:<c5**************************@posting.google. com>... kk****@freemail.hu (Daniel Barna) wrote in message news:<46**************************@posting.google. com>...
If the users use only database resource, how about just use database's
built-in security system?
Hi,
I tried to play with mysql: set up a password for the database.
However, then I have to store this password somewhere: either in the
php script itself, or in a file, or whereever. But again, all other
users on the same machine can do the same: they can copy my script
file with the hardcoded password in it, or read the file containing
this password. I can't do these files (the script, or the one
containing the pw) unreadable by wwwrun, because then the php
interpreter itself could not read them. It means, that even if the
file permissions are set up in a way that other users can not directly
read it, they can write a php script, which will run under the user
wwwrun, and read these from their php script.
Another solution is to not store the password anywhere, but ask it
from my users via the _POST variable. But this is painful.
So the problem in general: whatever I do, all other users can also do,
since my and their php scripts run under the same uid.
Did I miss something? Are there better solutions?
Thanks
Daniel kk****@freemail.hu (Daniel Barna) wrote in message news:<46**************************@posting.google. com>... aq*********@yahoo.co.uk (Aquila Deus) wrote in message news:<c5**************************@posting.google. com>... kk****@freemail.hu (Daniel Barna) wrote in message news:<46**************************@posting.google. com>...
If the users use only database resource, how about just use database's
built-in security system?
Hi,
I tried to play with mysql: set up a password for the database.
However, then I have to store this password somewhere: either in the
php script itself, or in a file, or whereever. But again, all other
users on the same machine can do the same: they can copy my script
file with the hardcoded password in it, or read the file containing
this password. I can't do these files (the script, or the one
containing the pw) unreadable by wwwrun, because then the php
interpreter itself could not read them. It means, that even if the
file permissions are set up in a way that other users can not directly
read it, they can write a php script, which will run under the user
wwwrun, and read these from their php script.
Another solution is to not store the password anywhere, but ask it
from my users via the _POST variable. But this is painful.
So the problem in general: whatever I do, all other users can also do,
since my and their php scripts run under the same uid.
Did I miss something? Are there better solutions?
You can encode the password by md5 or other one-way hash function, so
that it would be safe even if somebody opens it. But the users would
not be able to restore password if they forget it (however you could
empty password and generate a new one for them).
Otherwise, as I wrote previously, use database's security system.
Databases such as MySQL have its own method to manage user
permissions. Instead of checking username/password in php, you could
create user accounts in mysql, then call mysql to check it.
> You can encode the password by md5 or other one-way hash function, so that it would be safe even if somebody opens it. But the users would
not be able to restore password if they forget it (however you could
empty password and generate a new one for them).
Otherwise, as I wrote previously, use database's security system.
Databases such as MySQL have its own method to manage user
permissions. Instead of checking username/password in php, you could
create user accounts in mysql, then call mysql to check it.
I am afraid I miss some basic knowledge. Up to now I used mysql from
php as follows:
$dbid = mysql_connect("hostname","username","password");
After this MySQL knows, what rights I have, and does not let me
access/modify/whatever those databases, to which I have no permission.
Is this what you meant by letting MySQL manage usernames and
passwords?
But now username and password is hardcoded in my php script, which is
readable by wwwrun, so any other local users (on the machine) can also
read my script, so they will have the same rights as I have. Even if I
don't hardcode username and password in the php script, but store in a
file, say, this file must be readable by wwwrun, so again, any other
users of the machine, who have right to run php scripts, will be able
to read my file containing the username and password.
So what is the solution to grant acces to files/databases only from
those php scripts, which are OWNED by user1, and deny access for php
scripts OWNED by any other users?
Thanks
Daniel
In article <46**************************@posting.google.com >, kk****@freemail.hu (Daniel Barna) wrote: You can encode the password by md5 or other one-way hash function, so
that it would be safe even if somebody opens it. But the users would
not be able to restore password if they forget it (however you could
empty password and generate a new one for them).
Otherwise, as I wrote previously, use database's security system.
Databases such as MySQL have its own method to manage user
permissions. Instead of checking username/password in php, you could
create user accounts in mysql, then call mysql to check it.
I am afraid I miss some basic knowledge. Up to now I used mysql from
php as follows:
$dbid = mysql_connect("hostname","username","password");
After this MySQL knows, what rights I have, and does not let me
access/modify/whatever those databases, to which I have no permission.
Is this what you meant by letting MySQL manage usernames and
passwords?
But now username and password is hardcoded in my php script, which is
readable by wwwrun, so any other local users (on the machine) can also
read my script, so they will have the same rights as I have. Even if I
don't hardcode username and password in the php script, but store in a
file, say, this file must be readable by wwwrun, so again, any other
users of the machine, who have right to run php scripts, will be able
to read my file containing the username and password.
So what is the solution to grant acces to files/databases only from
those php scripts, which are OWNED by user1, and deny access for php
scripts OWNED by any other users?
Thanks
Daniel
Read this article: http://shiflett.org/articles/security-corner-mar2004
--
DeeDee, don't press that button! DeeDee! NO! Dee... This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Kim Lots |
last post by:
Hi
Sorry to disturb you again but i really like to know
what's the NTFS folder permissions on a "virtual directory" folder
for a public webserver iis 5.x running ASP 3.0 with an Access DB on a...
|
by: Brad H McCollum |
last post by:
I'm writing an application using VB 6.0 as the front-end GUI, and the
MSDE version of SQL Server as the back-end (it's a program for a
really small # of users --- less then 3-4).
I'm trying to...
|
by: !!! Klutzo !!! |
last post by:
I give permissions for ASPNET on a top level subdirectory.
A windows program copies a file into the subdirectory, however, my web
service cannot access the file because it does not have...
|
by: Jozef |
last post by:
Hello,
Is there a way to change table permissions in VB Code? I can't seem to find
much that's concise in the help file. Here's the situation;
I have a table in the "data" portion of a split...
|
by: none |
last post by:
Hello:
I had a nice php application running on my server here at home, and I
uploaded it to a shared public type server and it started to break all
over the place. It turns out that some...
|
by: MLH |
last post by:
Invalid qualifier error displays at compile time on this A97 example
from Permissions Property HELP. What's wrong with the strContainerName
assignment line? (6th line)
Sub...
|
by: Curt K |
last post by:
We run some web services (IIS 5 and IIS 6) that communicate to a COM out of
process server, which in turn communicates to another out of process COM
server (long story). We have had lots of...
|
by: jporter188 |
last post by:
Hello,
I am working on a project to manipulate XML files. All of the files,
the code, and the output are on network drives. When I run my program
I get an exception (see below). I tried giving...
|
by: palepimp |
last post by:
Hello all,
I have searched far and wide for a solution to my issue. In short, here is the problem:
1. 3 PC's enter data into an Access 2003 database (PC's are running Vista w/ Office 2007...
|
by: DotNetNewbie |
last post by:
Hello,
in my web application, I have to create permissions for each user. So
what I am doing is that for each role (using sqlmembership in .net) I
am creating a column in the database to hold a...
|
by: Faith0G |
last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome former...
|
by: ryjfgjl |
last post by:
In our work, we often need to import Excel data into databases (such as MySQL, SQL Server, Oracle) for data analysis and processing. Usually, we use database tools like Navicat or the Excel import...
|
by: Charles Arthur |
last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
|
by: aa123db |
last post by:
Variable and constants
Use var or let for variables and const fror constants.
Var foo ='bar';
Let foo ='bar';const baz ='bar';
Functions
function $name$ ($parameters$) {
}
...
|
by: ryjfgjl |
last post by:
If we have dozens or hundreds of excel to import into the database, if we use the excel import function provided by database editors such as navicat, it will be extremely tedious and time-consuming...
|
by: BarryA |
last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
|
by: Sonnysonu |
last post by:
This is the data of csv file
1 2 3
1 2 3
1 2 3
1 2 3
2 3
2 3
3
the lengths should be different i have to store the data by column-wise with in the specific length.
suppose the i have to...
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
| |
