Shell script containing passwords.

Robert Barten robert at
Tue Feb 10 08:52:24 PST 2004

On Tue, Feb 10, 2004 at 03:28:14PM +0000, Lewis Thompson wrote:
> On Tue, Feb 10, 2004 at 10:12:09AM -0500, Lowell Gilbert wrote:
> > Lewis Thompson <purple at> writes:
> > 
> > >   I am worried that because the script must be read/writeable by the
> > > Apache user (www) that anybody that can write a PHP script on my machine
> > > can read the auth script and read the passwords that would be contained
> > > within -- those to my MySQL server.
> > 
> > Why would the script be readable or writeable by any user?  
> > It only needs to be executable, right?
> Well, since it's an interpreted script (it's some standalone PHP) in
> order to execute it, the user must be able to read it.  Since the script
> holds passwds that means that any user with the ability to run it can
> get the passwds (in my case to access my MySQL server).
>   This is a ``flaw'' with the way Apache works because everything Apache
> executes must be +rw for the Apache user (www).  As a result any person
> able to write PHP code (all of my users) can read anything that the
> Apache user can, because mod_php executes as the Apache user.
>   There are security features in PHP (safe_mode) but these conflict with
> a large number of PHP scripts.  I'm trying to work it out this way now
> but it's a lot of hassle.

No need for safe_mode, set
php_admin_value open_basedir "/www/dir/to/user/"
in your vhost config, add if desired /tmp/phpupload/:/tmp/phpsession/
suphp doesn't work with mod_php AFAIR
Keep in mind: users (CGI scripts as well) can still browse into other user
directories unless you force them into one group (e.g. users), home to 705
and use SuEXEC.

Robert Barten

More information about the freebsd-questions mailing list