From owner-freebsd-questions@FreeBSD.ORG Tue Feb 10 08:05:25 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A78EC16A4CE for ; Tue, 10 Feb 2004 08:05:25 -0800 (PST) Received: from cloudburst.umist.ac.uk (cloudburst.umist.ac.uk [130.88.119.66]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5815543D1F for ; Tue, 10 Feb 2004 08:05:25 -0800 (PST) (envelope-from lewiz@red.lewiz.org) Received: from lh014.halls.umist.ac.uk ([130.88.163.14] helo=yellow.lewiz.org) by cloudburst.umist.ac.uk with esmtp (Exim 4.24) id 1AqaO0-00028f-6E; Tue, 10 Feb 2004 16:05:20 +0000 Received: from red.lewiz.org ([192.168.0.4]) by mail.lewiz.org with smtp (Exim 4.30; FreeBSD) id 1AqaPK-00022X-O4; Tue, 10 Feb 2004 16:06:42 +0000 Received: (nullmailer pid 7843 invoked by uid 4001); Tue, 10 Feb 2004 16:06:39 -0000 Date: Tue, 10 Feb 2004 16:06:37 +0000 From: Lewis Thompson To: Peter Risdon Message-ID: <20040210160635.GA7479@lewiz.org> References: <20040209233743.GA58010@lewiz.org> <4028FF18.6090302@circlesquared.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="17pEHd4RhPHOinZp" Content-Disposition: inline In-Reply-To: <4028FF18.6090302@circlesquared.com> X-GPG-Fingerprint: 90A4 939E 3847 A3E4 8103 2A48 22DA B428 542F ED3F X-GPG-Info: http://www.lewiz.org/~lewiz/pgpkey / horowitz.surfnet.nl User-Agent: Mutt/1.5.6i X-MailScanner-Information: Please contact the ISP for more information X-MailScanner: Found to be clean cc: FreeBSD-questions Subject: Re: Shell script containing passwords. X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Feb 2004 16:05:25 -0000 --17pEHd4RhPHOinZp Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Feb 10, 2004 at 03:56:08PM +0000, Peter Risdon wrote: > Lewis Thompson wrote: > > I am worried that because the script must be read/writeable by the > >Apache user (www) that anybody that can write a PHP script on my machine > >can read the auth script and read the passwords that would be contained > >within -- those to my MySQL server. > All you can do really is store the passwords themselves in an include=20 > file that you put in the most secure place possible, preferably not in=20 > webspace. But I imagine you have this covered. Yeah, but this is really security through obscurity, not something I'm keen on ;) > > Is there any way I can have a script that is not readable by a user, > >while still allowing that user to execute it? Maybe through using a > >wrapper of some sort? I do not have UFS2 so I cannot use ACLs. > >=20 > > > Not that I know of, but have you considered compiling apache with=20 > suexec? Assuming your other users have seperate logins, this might work.= =20 > You can have apache execute scripts as the appropriate user, not www.=20 > That way, a 700 permission should prevent other users from reading your= =20 > scripts. I read some stuff about this. I got the impression it required using PHP as a CGI, instead of mod_php. Am I wrong in thinking this? The overhead of using PHP as CGI is a little too high because the server is already pretty stretched... Thanks very much, -lewiz. --=20 I was so much older then, I'm younger than that now. --Bob Dylan, 1964. ------------------------------------------------------------------------ -| msn:purple@lewiz.net | jabber:lewiz@jabber.org | url:www.lewiz.org |- --17pEHd4RhPHOinZp Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFAKQGLItq0KFQv7T8RAgBPAKCW9eATXBR3EMqt1q7/G5ogTDtrmQCfZFXj ZzSnItbFThaiwY0uzCl7Fo0= =CcRi -----END PGP SIGNATURE----- --17pEHd4RhPHOinZp--