5

I'm currently developing a PHP framework. Other developers may create modules for the framework. Source code of these modules should reside in the framework directory.

Since the project is open-source, modules know location of the config file which has database password in it. How to protect passwords from malicious modules? Please check that modules may just require_once the config file and do harmful things!

Currently I'm storing Database passwords in a directory named config, and protecting it by a .htaccess file:

<Directory config>
order allow,deny
deny from all
<Directory>

But that is not sufficient to prevent scripts steal the password, is it?

I've read the thread How to secure database passwords in PHP? but it did not help me finding the answer.

Community
  • 1
  • 1
Shafiul
  • 2,832
  • 9
  • 37
  • 55
  • 1
    You cannot (sensefully). Note that it's possible to [preconfigure the connection in the php.ini](http://www.php.net/manual/en/mysql.configuration.php) - but `ini_get()` can probably read it out there too. – mario Aug 28 '11 at 13:07

8 Answers8

3

In PHP, you can't. It's not a sandboxed language; any code you run gets all the permissions of the user it's running under. It can read and write files, execute commands, make network connections, and so on, You must absolutely trust any code you're bringing in to your project to behave well.

If you need security boundaries, you would have to implement them yourself through privilege separation. Have each module run in its own process, as a user with very low privileges. Then you need some sort of inter-process communication. That could be using OS-level pipes, or by having separate .php files run as different users running as web services accessed by the user-facing scripts. Either way, it doesn't fit neatly into the usual way PHP applications work.

Or use another language such as Java, which can offer restricted code with stronger guarantees about what it is allowed to do (see SecurityManager et al).

bobince
  • 528,062
  • 107
  • 651
  • 834
2

Unfortunately, PHP is not a very secure language or runtime. However, the best way to secure this sort of information is to provide a configuration setting that has your username/password in it, outside of your document root. In addition, the modules should just use your API to get a database connection, not create one of their own based on this file. The config setting should not be global. You should design something like this in a very OOP style and provide the necessary level of encapsulation to block unwarranted access.

John Ament
  • 11,595
  • 1
  • 36
  • 45
2

I've got an idea that may work for you, but it all really depends on what abilities your framework scripts have. For my idea to be plausible security wise you need to essentially create a sandbox for your framework files.

One idea: What you could do (but probably more resource intensive) is read each module like you would a text file. Then you need to identify everywhere that reads a file within their script. You've got things like fopen for file_get_contents to consider. One thing I'd probably do is tell the users they may only read and write files using file_get_contents and file_put_contents, then use a tool to strip out any other file write/read functions from their script (like fopen). Then write your own function to replace file_get_contents and file_put_contents, make their script use your function rather than PHP's file_get_contents and file_put_contents. In your file_get_contents function you're essentially going to be checking permissions; are they accessing your config file, yes or no, then return a string saying "access denied" if they are or you use the real file_get_contents to read and return the file if not. As for your file_put_contents, you just need to make sure they're not writing files to your server (they shouldn't be allowed, imagine what they could do!), alternatively, you could probably use a CHMOD to stop that happening. Once you've essentially rewritten the module in memory, to be secure, you then use the "exec" function to execute it.

This would take a considerable amount of work - but it's the only pure PHP way I can think of.

1

I am not sure if it is possible, however you could maybe make a system which checks the files in the module for any php code which tries to include the config file, and then warn the user about it before installing.

However it really shouldn't be your responsibility in the end.

MrE
  • 1,124
  • 3
  • 14
  • 28
  • 1
    But checking modules while installation (and also at update) will be cumbersome & complex since there are many ways to include/read a config file. – Shafiul Aug 28 '11 at 13:25
  • Actually, what if you just unset(); then variables after they have been used? that way the connection information will not be accessible after they have been used to initiate the database connection. – MrE Aug 29 '11 at 13:13
1

A very good question with no good answer that I know of, however...

Have you seen runkit? It allows for sandboxing in PHP.

The official version apparently isn't well maintained any more, however there is a version on GitHub that is quite popular: zenovich/runkit on GitHub

Although the best solution is perhaps a community repository where every submission is checked for security issues before being given the OK to use.

Good Luck with your project

Gerry
  • 10,584
  • 4
  • 41
  • 49
1

Well, I see no problem here. If it's a module, it can do harmful things by definition, with or without database access. It can delete files, read cookies, etc etc.

So, you have to either trust to these modules (may be after reviewing them) or refuse to use modules at all.

Your Common Sense
  • 156,878
  • 40
  • 214
  • 345
0

Don't include your actual config file in your open source project. The way I do it is a create just the template config file config.ini.dist

When a user downloads your project they have to rename it to config.ini and enter their own configuration information.

This way every user will have their own database connection info like username and password. Also when you update your project and users download your newest version, their own config files will not be overwritten by the one from your program.

This a a very common way to store configuration in open source projects - you distribute a template config file and tell users that they have to rename it and enter their own configuration details.

Dmitri
  • 34,780
  • 9
  • 39
  • 55
  • No, no, I'm not talking about this problem. I'll not commit config file with my own settings. Suppose, some user has uploaded his project and installed a malicious module, now malicious module can get access to sensitive info - I'm talking about this issue. – Shafiul Aug 28 '11 at 13:12
  • I think there is always the possibility of malicious code when you install modules. The only way to be sure is to actually review the code of every submitted module very thoroughly before you allow that module to be included with your program. – Dmitri Aug 28 '11 at 13:17
0

I don't think there is a way to prevent a module to capture sensible data from the actual framework configuration and send it to some stranger out there. On the other end, I don't think that should be your responsability to protect the user from that to happen. After all, it's the user that will decide to install any module, right? In theory it should be him that would have to verify the module intents. Drupal, for example, does nothing in this direction. There is a worst problem, anyway: what'd prevent a nasty module to wipe out your entire database, once it is installed? And, by the way, what could the malicious stranger do with your database password? At the very least you anyway need to secure the connection of the database, so that only trusted hosts can connect to the database server (IP/host based check, for example).

Claudio
  • 5,740
  • 5
  • 33
  • 40