Re: My rant about unix home directories

Many PHP packages and cgi scripts ask you to store database settings
and passwords in web space.

I did not encounter them. And if you DO encounter them, you can always let those pages call a script outside the web root. And off course you should. The web root is PUBLIC space. So, anything you put in there is publicly available. Things that should not be publicly available should be kept out of there. Period.


Of course, it's secure, so long as configuration files are given
a [.php|.cgi] extension, right?

Wrong.
Wrong indeed. Alas there are ways for a hacker to get to the source sometimes.

I think most of us have seen misconfigured web servers that send the contents of PHP files rather then running them through an interpreter
at some point. A .php extension does not give a configuration file
security. I've seen this happen many times as I'm sure anyone here has.

Time was, all the CGI programming FAQ's would warn you about this, they would
tell you, always make sure passwords and critical pieces of information are
kept safely outside web space. This "old timer" advice still applies.

The general rule was, if you don't want it sent to the browser, don't put it on
the web server. (meaning, in "web space")

Don't protect something with an .htaccess file.

Don't protect something with a .php|.cgi or .whatever

Just don't put critical bits of data on the web server. (unless you
have no choice)

But.. not any more, we've forgotten this ancient advice.

We now routinely ask people to edit some sort of .php file for database
settings and save it in the same directory as the script running it. It's
common practice, heck I've done it a few times.... From what I gather,
PHP's so called "safe mode" (isn't that a kick in the teeth) demands you do this.

It's convenient, it's what users have come to expect.

But... it is not secure.

We have home directories for this sort of thing and just I wish we'd get back
to the old practice of using them for their intended purpose before ISP's start
making a persons home directory the same as the web directory.

There. rant over. Sorry.. had to say it, I don't expect anyone to actually
listen to it or anything, people seldom do.

You may go back to storing all your critical database settings in web space
now. :-)

My web root still has some settings.php. I had to, as my development environment and my provider's environment differ too much. Off course, all it does it correct the right settings that it digs up from a deeper, "require"d file outside the web space (both live and on development).

Thanks for the warning. Take a glass of water, cool down from your rant and have a nice weekend.

.

Quantcast