[ILUG] PHP, MySQL and Users...

[Wesley Darlington]

Hi,

David Oggs said...
>I'm helping set up a college box, and we were hoping to give users the
>ability to run (safe mode) php scripts and give them mysql accounts. The
>problem I'm having is how to keep mysql authentication details secure.
>Even if a script can only be read from the filesystem by the owner of the
>file and the group that php runs as it doesn't prevent another user
>from open()'ing it from another script. I think what I'm after is some
>way of making a suid php script, I remember seeing this before for
>perl and apache, just not too sure how to go about it with php+apache. And
>the usual searches were'nt very helpful. 

One way might be to run one apache/mod_php for every single user, as 
different users and have them listen on high-numbered ports. Then have
the main apache on port 80 just do proxying and rewriting to and from
these personal apaches. A bit (!) unwieldy if you have lots of users,
though. :-(

Another way might be to do something magical to take advantage of the
fact that apache start off as root. Have it read in some modules (I'm
thinking in perl here) that are readably only by the owning user which
do the connecting to the database. All they'll do is return database
handles. They'll keep everything important in `my' variables so scripts
can look at $Other::Package::password. And they'll only return a
database handle for if the requested uri is in that person's space.
The handler would probably need to be hooked into an early part of
the apache request process so it's more likely to get the real 
uri/virtualhost. It's not ideal, but it might discourage most people.
All this probably isn't even possibl! :-(

All the best,
Wesley.