平面文件安全性 [英] Flat file security
问题描述
大家好,
我相信这是一个每隔几个月就会出现的热门问题
。事实上,我已经看了一些过去的贴子,但我会想要以不同的方式提问。
基本上,我正在使用用于存储数据的平面文件。我必须这样做
因为mySQL没有安装在我的网络服务器上,而且我不是root
用户。数据量非常小,无论如何都不值得成为一个完整的数据库。但是,虽然数据没什么价值,但是我希望能够像
一样安全。来自机器人和其他用户。
我发现这个有用的帖子在comp.lang.php(部分剪辑)约会
从2002年开始:
-----
1.将包含userdata _outside_的文件放入您的web目录。
或
2.使用robots.txt告诉机器人不读取数据。
将文件以robots.txt的形式保存到您的网络上,并(作为例如)
以及
以下内容:
用户代理:*
禁止: / directory_containing_a_lot_of_email_adresses_and
_other_juicy_user_stuff
或
3.将数据包装在某种身份验证中(可能是很难,如果你使用
数据为auth .... ;-)
-----
我可以做#1,我想知道这是否足够。作为非root
用户,我想我做不到#2 ...我还可以移动那些
写在我的web目录之外的平面文件的php脚本吗?或者那不是必需的吗?
另外,由于主机是Unix机器,建议使用什么权限
以下?当然,我只希望web服务器和我能够读取和写入他们的
。我想到了权限,并在下面插入了
。
1)写入平面文件的php脚本目录
-rwx --- rx
2)编写平面文件的php脚本
-rwx --- rx
3)平面文件的目录
-rwx --- rwx
4)平面文件本身
-rwx --- rw-
这可能吗?我可以做得更好吗?
我也是php的新手...我已经硬编码了平面文件的路径
里面我想,我的php文件是必须的。有没有办法让人们看到php文件的来源,以便他们可以提取硬编码路径?$ / b
谢谢!
Ray
Hi all,
I''m sure this is a popular question that comes up every few months
here. Indeed, I''ve looked at some of the past postings, but I would
like to ask things differently.
Basically, I''m using a flat file to storing data. I have to do this
because mySQL is not installed on my web server, and I am not the root
user. The amount of data is so small, that it isn''t worth a full-blown
database anyway. However, while the data is nothing valuable
(generally e-mail addresses), I would like to make it as secure as
possible. Both from robots and from other users.
I found this useful posting in comp.lang.php (some parts cut) dating
from 2002:
-----
1. Put the file containing userdata _outside_ your webdirectory.
or
2. Use a robots.txt to tell robots to not read the data.
Save the file to root on your web as robots.txt, and (as an example)
with
the following content:
User-Agent: *
Disallow: /directory_containing_a_lot_of_email_adresses_and
_other_juicy_user_stuff
or
3. Wrap the data in an auth of some sort (may be difficult if you use
that
data for the auth....;-)
-----
I can do #1 and I was wondering if that is sufficient. As the non-root
user, I guess I cannot do #2... Can I also move the php scripts that
write the flat files outside my web directory? Or is that not
necessary?
Also, as the host is a Unix machine, what permissions are suggested for
the following? Of course, I only want the web server and me to be able
to read and write to them. I''m thought about the permissions and have
inserted them below.
1) directory of the php scripts that writes the flat files
-rwx---r-x
2) the php scripts that writes the flat files
-rwx---r-x
3) the directory of the flat files
-rwx---rwx
4) the flat files themselves
-rwx---rw-
Is this possible? Can I do better?
I''m also new to php... I''ve hard-coded the paths to the flat files
inside my php files, as one must, I guess. Is there a way for people
to see the source of the php files so that they can extract the hard
coded paths?
Thank you!
Ray
推荐答案
ra ****** @ gmail.com 写道:
ra******@gmail.com wrote:
我可以做#1而我是想知道这是否足够。作为非root用户,我想我做不到#2 ...我还可以移动在我的web目录之外写平面文件的php脚本吗?或者那不是必要的吗?
我的选择也是选项#1。将php脚本移到
webdirectory之外不仅没有必要,而且如果你仍然想要从网上执行它们,也是不可能的。
)写入平面文件的php脚本目录
-rwx --- rx
2)写入平面文件的php脚本
-rwx --- rx
3)平面文件的目录
-rwx --- rwx
4)平面文件本身
-rwx ---这可能吗?我可以做得更好吗?
我不知道为什么你把所有组权限都留空,为什么其他
(世界)获得权限。如果webserver用户是
平面文件目录的所有者,则可以将其更改为-rwx ------
平面文件本身也是如此。
我也是php的新手...我已经在我的php文件中硬编码了平面文件的路径,我猜是必须的。有没有办法让人们看到php文件的来源,以便他们可以提取硬编码路径?
I can do #1 and I was wondering if that is sufficient. As the non-root
user, I guess I cannot do #2... Can I also move the php scripts that
write the flat files outside my web directory? Or is that not
necessary?
My pick would also be option #1. Moving the php scripts outside the
webdirectory is not only not necessary, but also impossible if you still
want to execute them from the web.
1) directory of the php scripts that writes the flat files
-rwx---r-x
2) the php scripts that writes the flat files
-rwx---r-x
3) the directory of the flat files
-rwx---rwx
4) the flat files themselves
-rwx---rw-
Is this possible? Can I do better?
I''m not sure why you leave all the group permissions empty and why other
(world) do get permissions. If the webserver user is the owner of the
flat files directory, you can change that to -rwx------
Same goes for the flat files themselves.
I''m also new to php... I''ve hard-coded the paths to the flat files
inside my php files, as one must, I guess. Is there a way for people
to see the source of the php files so that they can extract the hard
coded paths?
不,只要PHP在Web服务器上工作,因为脚本得到了网络服务器解释的
,并且只有脚本的输出被发送到客户端(webbrowser)
。
-
http:// www .phpforums.nl
ra ****** @ gmail.com 写道:
ra******@gmail.com wrote:
大家好,
我相信这是一个每隔几个月出现的热门问题<这里。事实上,我已经查看了过去的一些帖子,但我想以不同的方式提问。
基本上,我正在使用平面文件来存储数据。我必须这样做
因为mySQL没有安装在我的网络服务器上,而且我不是root
用户。数据量非常小,无论如何都不值得成为一个完整的数据库。然而,虽然数据没什么价值(通常是电子邮件地址),但我希望尽可能安全。来自机器人和其他用户。
我发现这个有用的帖子在comp.lang.php(部分剪辑)约会
从2002年开始:
- ---
1.将包含userdata _outside_的文件放入您的web目录。
2.使用robots.txt告诉机器人不读取数据。
将文件保存到您的网站root作为robots.txt,并(作为示例)
以下内容:
用户代理:*
禁止:/ directory_containing_a_lot_of_email_adresses_and
_other_juicy_user_stuff
3.将数据包装在某种身份验证中(如果使用的话可能很难)认证的数据.... ;-)
我可以做#1,我想知道这是否足够。
不,在webroot外工作的唯一好处是,网页服务器无法回答一个简单的请求
正确的地方。
但你也可以通过其他方式这样做。
作为非root用户,我想我不能做#2 ...
是的,你可以。
你可以放置一个robots.txt文件,就像你可以放置任何其他文本文件一样。
我是否也可以移动编写平面文件的php脚本在我的网站目录之外?或者那不是必要的吗?
是的,可以完成。
但要注意权限。 :-)
如果你不这样做,你可以得到世界上可读的文件,
即可以访问你系统的所有人 。
使用共享主机时,这是同一系统中的其他人。
此外,由于主机是Unix机器,建议使用什么权限
下列?当然,我只希望web服务器和我能够读取和写入它们。我正在考虑权限,并在下面插入它们。
1)写入平面文件的php脚本目录
-rwx --- rx
-rwx --- rx
3)平面文件的目录
-rwx-- -rwx
4)平面文件本身
-rwx --- rw-
这可能吗?我可以做得更好吗?
是的你可以。
假设我在同一台机器上:
- 我可以看到目录3)
- 我可以浏览目录3的内容。
- 我可以在目录3中读取/修改文件。
我是也是php的新手...我已经在我的php文件中硬编码了平面文件的路径,我猜是必须的。有没有办法让人们看到php文件的来源,以便他们可以提取硬编码路径?
有时候。
你的php脚本有权限-rwx --- rx,所以如果我在同一台机器上,
我可以阅读你的PHP文件。
前段时间我讨论过与macbri类似的问题。
这是一个链接:
< a rel =nofollowhref =http://groups.google.nl/group/comp.lang.php/browse_thread/thread/c8751c8082573e64/35398dedf888542a?lnk=st&q=erwin+moller++permission+directory& rnum = 2& hl = nl#35398dedf888542atarget =_ blank> http://groups.google.nl/group/comp.l...398dedf888542a
也许这有助于设置更安全的东西。
它涉及拒绝目录列表和一个非常长的奇怪名称
的目录。
我希望它有所帮助。
祝你好运。
问候,
Erwin Moller
<谢谢!
Ray
Hi all,
I''m sure this is a popular question that comes up every few months
here. Indeed, I''ve looked at some of the past postings, but I would
like to ask things differently.
Basically, I''m using a flat file to storing data. I have to do this
because mySQL is not installed on my web server, and I am not the root
user. The amount of data is so small, that it isn''t worth a full-blown
database anyway. However, while the data is nothing valuable
(generally e-mail addresses), I would like to make it as secure as
possible. Both from robots and from other users.
I found this useful posting in comp.lang.php (some parts cut) dating
from 2002:
-----
1. Put the file containing userdata _outside_ your webdirectory.
or
2. Use a robots.txt to tell robots to not read the data.
Save the file to root on your web as robots.txt, and (as an example)
with
the following content:
User-Agent: *
Disallow: /directory_containing_a_lot_of_email_adresses_and
_other_juicy_user_stuff
or
3. Wrap the data in an auth of some sort (may be difficult if you use
that
data for the auth....;-)
-----
I can do #1 and I was wondering if that is sufficient.
No, the only advantage working outside webroot is that a simple request to
the right place will not be answered by the webserver.
But you can also do so by other means.
As the non-root user, I guess I cannot do #2...
Yes you can.
you can place a robots.txt file just as you can place any other text file.
Can I also move the php scripts that write the flat files outside my web directory? Or is that not
necessary?
Yes, can be done.
Pay attention to permissions however. :-)
If you do not, you can end up with files that are readable to the world,
that is ''everybody'' who has access to your system.
When using shared hosting, that is everybody else on the same system.
Also, as the host is a Unix machine, what permissions are suggested for
the following? Of course, I only want the web server and me to be able
to read and write to them. I''m thought about the permissions and have
inserted them below.
1) directory of the php scripts that writes the flat files
-rwx---r-x
2) the php scripts that writes the flat files
-rwx---r-x
3) the directory of the flat files
-rwx---rwx
4) the flat files themselves
-rwx---rw-
Is this possible? Can I do better?
Yes you can.
Suppose I am on the same machine:
- I can see directory 3)
- I can browse the content of directory 3)
- I can read/modify file in directory 3)
I''m also new to php... I''ve hard-coded the paths to the flat files
inside my php files, as one must, I guess. Is there a way for people
to see the source of the php files so that they can extract the hard
coded paths?
Sometimes.
Your php scripts have permission -rwx---r-x, so if I am on the same machine,
I can possible read your PHP files.
Some time ago I discussed a similar problem with macbri.
Here is a link:
http://groups.google.nl/group/comp.l...398dedf888542a
Maybe that helps setting up something a lot more secure.
It involves denying directorylistings combined with a very long strange name
for a directory.
I hope it helps.
Good luck.
Regards,
Erwin Moller
Thank you!
Ray
Peter van Schie写道:
Peter van Schie wrote:
ra******@gmail.com 写道:
我可以做#1,我想知道这是否足够。作为非root用户,我想我不能做#2 ...我是否也可以移动我选择的php脚本也是#1选项。将php脚本移到
webdirectory之外不仅没有必要,而且如果你仍然想要从网上执行它们也是不可能的。
I can do #1 and I was wondering if that is sufficient. As the non-root
user, I guess I cannot do #2... Can I also move the php scripts that My pick would also be option #1. Moving the php scripts outside the
webdirectory is not only not necessary, but also impossible if you still
want to execute them from the web.
$ b $我啊,我明白了。我不知道如果它们在web目录之外,就不可能运行php脚本
。谢谢!
Ah, I see. I didn''t know it would not be possible to run php scripts
if they are outside the web directory. Thanks!
1)写入平面文件的php脚本目录
-rwx --- rx
-rwx --- rx
3)平面文件的目录
-rwx --- rwx
4)平面文件本身
-rwx --- rw -
1) directory of the php scripts that writes the flat files
-rwx---r-x
2) the php scripts that writes the flat files
-rwx---r-x
3) the directory of the flat files
-rwx---rwx
4) the flat files themselves
-rwx---rw-
我不知道你为什么要将所有组权限留空以及其他为什么? />(世界)获得权限。如果webserver用户是
平面文件目录的所有者,则可以将其更改为-rwx ------
对于平面文件本身也是如此。
I''m not sure why you leave all the group permissions empty and why other
(world) do get permissions. If the webserver user is the owner of the
flat files directory, you can change that to -rwx------
Same goes for the flat files themselves.
嗯......我注意到这些文件是由用户www-data制作的。我想我
我不知道它有什么特权。我启用了世界权限
的目录和文件...
我也试过chown''ing文件,以便www-data拥有它。我还尝试了
创建一个组,以便只有I和www-data。因为我不是root用户,所以似乎都没有工作。
但是,我说可以创建由www-data拥有的文件并给它 - rwx ------。
我怎么能读它们?
不,只要PHP在网络服务器上工作,因为脚本得到了
由网络服务器解释,只有脚本的输出被发送到客户端(webbrowser)。
Hmmm...I noticed the files are made by the user www-data. I guess I
didn''t know what privileges it had. I enabled the world permissions
for the directories and files for it...
I also tried chown''ing the file so that www-data owns it. I also tried
to create a group so that only I and www-data are in it. Neither seems
to work as I''m not the root user.
But, say I could make files owned by www-data and give it -rwx------.
How could I read them?
No, not as long as PHP works on the webserver, because the script gets
interpreted by the webserver and only the output of the scripts is being
sent to the client (webbrowser).
由于php是服务器端代码,这个是我的想法;但我还是担心,有一些方法可以绕过它。感谢您向我确认
没有。
Ray
Since php is server-side code, this is what I thought; but I also was
worried that there is some way to get around it. Thanks for confirming
to me that there isn''t.
Ray
这篇关于平面文件安全性的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
