> Like you can see, the sess_ files permissions are -rw------- for user
> root or www-data (like ja apache is installed)
> All other users can't read the info (non of the same group nor the other
> users)
>
> only the user running the apache server itself
> so show me where the security leak is ?
> I think its normal that apach itself can read the file and no one else
> can!
Well, IMHO storing a plain-text password is a problem anyway, and against
the 'good-practices'. Tell me, why passwords are usually stored only in
md5 hash form in /etc/shadow? It's readable only for root, so should be
no problem ;-).
Possible intruder which will gain apache's privilegies, can read the file
and get the plaintext passwords *very* easily, w/o running any brute-force
decoder on them. And that's a Bad Thing (tm).
--
Petr "Pasky" Baudis
. .
n = ((n >> 1) & 0x55555555) | ((n << 1) & 0xaaaaaaaa);
n = ((n >> 2) & 0x33333333) | ((n << 2) & 0xcccccccc);
n = ((n >> 4) & 0x0f0f0f0f) | ((n << 4) & 0xf0f0f0f0);
n = ((n >> 8) & 0x00ff00ff) | ((n << 8) & 0xff00ff00);
n = ((n >> 16) & 0x0000ffff) | ((n << 16) & 0xffff0000);
-- C code which reverses the bits in a word.
. .
My public PGP key is on: http://pasky.ji.cz/~pasky/pubkey.txt
-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GCS d- s++:++ a--- C+++ UL++++$ P+ L+++ E--- W+ N !o K- w-- !O M-
!V PS+ !PE Y+ PGP+>++ t+ 5 X(+) R++ tv- b+ DI(+) D+ G e-> h! r% y?
------END GEEK CODE BLOCK------
This archive was generated by hypermail 2b30 : Mon Sep 24 2001 - 11:13:12 PDT