Shell script containing passwords.
Lowell Gilbert
freebsd-questions-local at be-well.ilk.org
Tue Feb 10 07:12:10 PST 2004
Lewis Thompson <purple at lewiz.net> writes:
> I'm trying to write a script to use with the Apache auth plugin
> mod_auth_any. I have the whole setup working, bar the script that does
> the authentication.
>
> I am worried that because the script must be read/writeable by the
> Apache user (www) that anybody that can write a PHP script on my machine
> can read the auth script and read the passwords that would be contained
> within -- those to my MySQL server.
Why would the script be readable or writeable by any user?
It only needs to be executable, right?
> Is there any way I can have a script that is not readable by a user,
> while still allowing that user to execute it? Maybe through using a
> wrapper of some sort? I do not have UFS2 so I cannot use ACLs.
>
> Any suggestions for this as I'm stumped. Thanks very much,
Check how Apache normally deals with this; I haven't used the auth
module, but I can't believe that it requires insecure practices...
More information about the freebsd-questions
mailing list