Advanced search  

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Pages: [1]   Go Down

Author Topic: config.inc.php and security  (Read 5061 times)

0 Members and 1 Guest are viewing this topic.

cgc0202

  • Coppermine frequent poster
  • ***
  • Offline Offline
  • Posts: 199
config.inc.php and security
« on: April 22, 2006, 02:07:23 am »
Hi,

OK, maybe I am being paranoid.  But, the "config.inc.php" contains very sensitive information. While it is not foolproof against a malicious and determine hacker, what is the minimum permissions so that the "config.inc.php" can still be read by the program for the execution of the functions of the photogallery. 

After the installation, can it be changed from the current "644" -> "600".  In fact, based on the information included in there, can it be changed to  "400" since there should be really nothing there that would require any "write" permissions.

cgc0202
Logged

donnoman

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 1615
  • From donovanbray.com
    • Donovan Bray
Re: config.inc.php and security
« Reply #1 on: April 22, 2006, 08:31:48 am »
No you can't normally reduce the permissions on config.php to 600 or 400 since it would be stupid to run your apache user as the owner of the files.  You would have to have a custom install of apache to shoot yourself in the foot in this way anyway.

In some very specific instances you might be able to reduce the permissions to 640 if and only if your apache user is in the same group that owns the files. (again not a common occurance out in webhost land).

In almost all cases 644 is going to be the minimum you can get away with. If your host has properly chrooted your ftp sessions, and blocked shell access, it should prevent casual snooping.  My guess is that this setup wouldn't stop somebody who has managed to install one of the backdoor scripts that can be installed via vulnerable installations of various web scripts.

It's not functional yet but http://httpd.apache.org/docs/2.0/mod/perchild.html is trying to address this vulnerability by essentially providing a chrooted apache environment per virtual server.

The default security on the files on a well setup webhost has worked for hundreds of thousands of installs of coppermine.  I wouldn't sweat this one too much.


Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47843
  • aka "GauGau"
    • gaugau.de
Re: config.inc.php and security
« Reply #2 on: April 22, 2006, 08:37:13 am »
The file needs to be readable for the user your webserver runs under. It's impossible to say for us what the exact CHMOD settings are for your server setup. Find out by trial and error or ask your webhost. Yes, this is paranoid. If the server is set up correctly, there's no danger nor risk.
Quote from: cgc0202 on April 22, 2006, 02:07:23 am
While it is not foolproof against a malicious and determine hacker
Oh yeah? How's Mr.Hacker going to retrieve the information that is contained in this file? All PHP/mysql driven apps need to store the mysql data in a file. If a determined hacker can get them, no app would be safe.

Donnoman posted while I was typing my reply. Posting it still, although Donnoman basically answers the question already.
Logged
Pages: [1]   Go Up
« previous next »
 

Page created in 0.03 seconds with 19 queries.