web page file security
co1 & co2 are competitors in business and have space on the same shared box. both are *nix savy & ssh login is allowed on this box. while they cannot perform an "ls" in each others /www directory (chmod 751), they are both smart enough to try to "vi /www/co$x/index.html", index.htm.. etc.. until they find something they can read/use. Since index.whatever has a connection to MySQL, and uses a username/password to do so, we wish to hide this information from the competitors prying eyes...at both the httpd & shell level
Assumptions:
unix/linux
apache(httpd) runs as nobody:nobody with no valid shell in /etc/passwd. apache is php aware
you have root
/home/$dom/www -> /www/$dom
/www/$dom = web viewable (their web space), chmod 751 chown $user:$usergrp
I have come up with this.....
1. sensitive data should be in a file which begins with .ht* (apache by default knows that these are a no-no to view by themselves).
2. chown $user:nobody .ht_sensitivedata
3. chmod 640 .ht_sensitivedata
from index.html (or whatever) using php
<? include('.ht_sensitivedata'); ?>
(.ht_sensitivedata contains the mySQL database name, user name and pasword, as well as the connect string.)
i figure that the .ht*filename prevents it from being http://'d by itself, the chmod prevents world read (shell viewing) and along with the chown (or chgrp) allows apache to read it via the php include.
does this scheme seem feasible?
on every reseller host i have been with, I can vi something in any users www directory even if i cannnot "ls" in there (of course, it's easy to figure out the web page file name). Knowing a very little about MySQL/PHP & how the db connect string works, that username/password has to be in plain text somewhere....
I wanna protect it.
As I am not a security guru, I submit this for your evaluation. Thanks.
