From owner-freebsd-questions@FreeBSD.ORG Tue Feb 10 07:12:10 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 45E6816A4CF for ; Tue, 10 Feb 2004 07:12:10 -0800 (PST) Received: from sccrmhc12.comcast.net (sccrmhc12.comcast.net [204.127.202.56]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0F8BE43D1D for ; Tue, 10 Feb 2004 07:12:10 -0800 (PST) (envelope-from freebsd-questions-local@be-well.ilk.org) Received: from be-well.no-ip.com ([66.30.196.44]) by comcast.net (sccrmhc12) with ESMTP id <20040210151209012008040be>; Tue, 10 Feb 2004 15:12:09 +0000 Received: by be-well.no-ip.com (Postfix, from userid 1147) id 6A97CF; Tue, 10 Feb 2004 10:12:09 -0500 (EST) Sender: lowell@be-well.ilk.org To: freebsd-questions@freebsd.org To: Lewis Thompson References: <20040209233743.GA58010@lewiz.org> From: Lowell Gilbert Date: 10 Feb 2004 10:12:09 -0500 In-Reply-To: <20040209233743.GA58010@lewiz.org> Message-ID: <44isifarzq.fsf@be-well.ilk.org> Lines: 22 User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.3 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: Re: Shell script containing passwords. X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Feb 2004 15:12:10 -0000 Lewis Thompson writes: > I'm trying to write a script to use with the Apache auth plugin > mod_auth_any. I have the whole setup working, bar the script that does > the authentication. > > I am worried that because the script must be read/writeable by the > Apache user (www) that anybody that can write a PHP script on my machine > can read the auth script and read the passwords that would be contained > within -- those to my MySQL server. Why would the script be readable or writeable by any user? It only needs to be executable, right? > Is there any way I can have a script that is not readable by a user, > while still allowing that user to execute it? Maybe through using a > wrapper of some sort? I do not have UFS2 so I cannot use ACLs. > > Any suggestions for this as I'm stumped. Thanks very much, Check how Apache normally deals with this; I haven't used the auth module, but I can't believe that it requires insecure practices...