From owner-freebsd-questions@FreeBSD.ORG Tue Feb 10 07:55:37 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DEE1616A4D3 for ; Tue, 10 Feb 2004 07:55:37 -0800 (PST) Received: from dyer.circlesquared.com (host217-45-219-83.in-addr.btopenworld.com [217.45.219.83]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5476543D1D for ; Tue, 10 Feb 2004 07:55:37 -0800 (PST) (envelope-from peter@circlesquared.com) Received: from circlesquared.com (localhost.petanna.net [127.0.0.1]) i1AFu8BX022860; Tue, 10 Feb 2004 15:56:19 GMT (envelope-from peter@circlesquared.com) Message-ID: <4028FF18.6090302@circlesquared.com> Date: Tue, 10 Feb 2004 15:56:08 +0000 From: Peter Risdon User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.5b) Gecko/20031102 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Lewis Thompson References: <20040209233743.GA58010@lewiz.org> In-Reply-To: <20040209233743.GA58010@lewiz.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: FreeBSD-questions Subject: Re: Shell script containing passwords. X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Feb 2004 15:55:38 -0000 Lewis Thompson wrote: >Hi, > >I'm trying to write a script to use with the Apache auth plugin >mod_auth_any. I have the whole setup working, bar the script that does >the authentication. > > I am worried that because the script must be read/writeable by the >Apache user (www) that anybody that can write a PHP script on my machine >can read the auth script and read the passwords that would be contained >within -- those to my MySQL server. > > All you can do really is store the passwords themselves in an include file that you put in the most secure place possible, preferably not in webspace. But I imagine you have this covered. > Is there any way I can have a script that is not readable by a user, >while still allowing that user to execute it? Maybe through using a >wrapper of some sort? I do not have UFS2 so I cannot use ACLs. > > Not that I know of, but have you considered compiling apache with suexec? Assuming your other users have seperate logins, this might work. You can have apache execute scripts as the appropriate user, not www. That way, a 700 permission should prevent other users from reading your scripts. PWR.