Topic: sqlite - security

Since sqlite does not use usernames and passwords, what is to stop someone on a same computer from accessing and editing the sqlite database file? If it can be written to by the web server, then presumably anyone can edit it via some php code?

Thanks,

Re: sqlite - security

I would have thought the security of the file is left up to whoever is running the server, not PunBB

Re: sqlite - security

Sorry, I should have explained better - I install punBB inside my web directory, and now let's say I have a database file forum.db which is somewhere on the web server. The user running the web server is apache, so I can set the owner of the forum.db file to be apache. I tell punBB to use that database file. That all works fine.

Now let's say another user comes along, and decides to install a forum of his own in his own web space - there is nothing to stop him from using the same database file as me, since he can use any file accessible by apache, right? There is nothing really linking the database file to a specific forum or my user on the computer. Does this make sense? Of course, I could just rely on the user being honest and using a different table prefix, but we all know that trusting users to be honest is not the best security measure :-) So he could write a php file which would essentially delete all tables in my database file, or insert spam, right?

Thanks,

Re: sqlite - security

Sorry, I did understand, and I'm not sure what the answer is, but what I mean is, its not a PunBB specific problem, its just the way SQLite works if it is the case.

5

Re: sqlite - security

melkor445 wrote:

I install punBB inside my web directory, and now let's say I have a database file forum.db which is somewhere on the web server. The user running the web server is apache, so I can set the owner of the forum.db file to be apache. I tell punBB to use that database file. That all works fine.

You would NOT want to make he owner Apache or whatever web server is being used.  In a shared hosting environment the web server usually runs withe the permissions of the account it is being used under.  If your account name is joe for example Apache will be running as if it is joe and the files will be owned by joe.

melkor445 wrote:

Now let's say another user comes along, and decides to install a forum of his own in his own web space - there is nothing to stop him from using the same database file as me, since he can use any file accessible by apache, right?

Not right.  The file won't be owned by the web server.  If that were the case any person on a shared server would be able to modify the files of any other user on the same server and that isn't the case and doesn't happen.

melkor445 wrote:

There is nothing really linking the database file to a specific forum or my user on the computer.

It's not linked to a specific forum but it is linked to, actually owned by, your user name on the shared system.