Shell script containing passwords.
Peter Risdon
peter at circlesquared.com
Tue Feb 10 08:35:48 PST 2004
Lewis Thompson wrote:
>On Tue, Feb 10, 2004 at 03:56:08PM +0000, Peter Risdon wrote:
>
>
>>Lewis Thompson wrote:
>>
>>
>>>I am worried that because the script must be read/writeable by the
>>>Apache user (www) that anybody that can write a PHP script on my machine
>>>can read the auth script and read the passwords that would be contained
>>>within -- those to my MySQL server.
>>>
>>>
>
>
>
>>All you can do really is store the passwords themselves in an include
>>file that you put in the most secure place possible, preferably not in
>>webspace. But I imagine you have this covered.
>>
>>
>
>Yeah, but this is really security through obscurity, not something I'm
>keen on ;)
>
>
That's kind of what we're talking about here, though. Keeping a file's
contents inaccessible.
>
>
>>>Is there any way I can have a script that is not readable by a user,
>>>while still allowing that user to execute it? Maybe through using a
>>>wrapper of some sort? I do not have UFS2 so I cannot use ACLs.
>>>
>>>
>>>
>>>
>>Not that I know of, but have you considered compiling apache with
>>suexec? Assuming your other users have seperate logins, this might work.
>>You can have apache execute scripts as the appropriate user, not www.
>>That way, a 700 permission should prevent other users from reading your
>>scripts.
>>
>>
>
>I read some stuff about this. I got the impression it required using
>PHP as a CGI, instead of mod_php. Am I wrong in thinking this?
>
Yes, you can use mod_php with suexec. Makes most sense with virtual
hosts, because each host must run as a single user.
PWR.
More information about the freebsd-questions
mailing list