Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 10 Feb 2004 15:56:08 +0000
From:      Peter Risdon <peter@circlesquared.com>
To:        Lewis Thompson <purple@lewiz.net>
Cc:        FreeBSD-questions <questions@freebsd.org>
Subject:   Re: Shell script containing passwords.
Message-ID:  <4028FF18.6090302@circlesquared.com>
In-Reply-To: <20040209233743.GA58010@lewiz.org>
References:  <20040209233743.GA58010@lewiz.org>

next in thread | previous in thread | raw e-mail | index | archive | help
Lewis Thompson wrote:

>Hi,
>
>I'm trying to write a script to use with the Apache auth plugin
>mod_auth_any.  I have the whole setup working, bar the script that does
>the authentication.
>
>  I am worried that because the script must be read/writeable by the
>Apache user (www) that anybody that can write a PHP script on my machine
>can read the auth script and read the passwords that would be contained
>within -- those to my MySQL server.
>  
>
All you can do really is store the passwords themselves in an include 
file that you put in the most secure place possible, preferably not in 
webspace. But I imagine you have this covered.

>  Is there any way I can have a script that is not readable by a user,
>while still allowing that user to execute it?  Maybe through using a
>wrapper of some sort?  I do not have UFS2 so I cannot use ACLs.
>  
>
Not that I know of, but have you considered compiling apache with 
suexec? Assuming your other users have seperate logins, this might work. 
You can have apache execute scripts as the appropriate user, not www. 
That way, a 700 permission should prevent other users from reading your 
scripts.

PWR.



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4028FF18.6090302>