[development] SQLite and Drupal 7 -- third coming
morbus at disobey.com
Wed Feb 4 17:00:13 UTC 2009
>>From a security point of view, any time the web server process has
> write access to any directory or file, it makes me nervous. For this
> SQLite scheme to work, obviously the web server process will have to
> be able to create and update the file in which the SQLite database
> resides. This seems like it provides another possible vector for
> exploits. Tell me how we will protect against such attacks.
This brings up a good point, I believe.
One potential avenue would be a webuser rewriting the file to point to a
different directory for, say, the user.module, and then capturing all
entered passwords in his own custom code.
This isn't on the same mentality/vein as "well, we have to *trust* that
the MySQL database is secure too, don't we?", because databases almost
always get their own username and password - but the Apache webserver is
most often run as a single user, without suexec'ing.
Morbus Iff ( *splutch* ... /me respawns )
Enjoy: http://www.disobey.com/ and http://www.videounderbelly.com/
aim: akaMorbus / skype: morbusiff / icq: 2927491 / jabber.org: morbus
More information about the development