Date: Tue, 10 Feb 2004 16:06:37 +0000 From: Lewis Thompson <purple@lewiz.net> To: Peter Risdon <peter@circlesquared.com> Cc: FreeBSD-questions <questions@freebsd.org> Subject: Re: Shell script containing passwords. Message-ID: <20040210160635.GA7479@lewiz.org> In-Reply-To: <4028FF18.6090302@circlesquared.com> References: <20040209233743.GA58010@lewiz.org> <4028FF18.6090302@circlesquared.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--17pEHd4RhPHOinZp Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Feb 10, 2004 at 03:56:08PM +0000, Peter Risdon wrote: > Lewis Thompson wrote: > > I am worried that because the script must be read/writeable by the > >Apache user (www) that anybody that can write a PHP script on my machine > >can read the auth script and read the passwords that would be contained > >within -- those to my MySQL server. > All you can do really is store the passwords themselves in an include=20 > file that you put in the most secure place possible, preferably not in=20 > webspace. But I imagine you have this covered. Yeah, but this is really security through obscurity, not something I'm keen on ;) > > Is there any way I can have a script that is not readable by a user, > >while still allowing that user to execute it? Maybe through using a > >wrapper of some sort? I do not have UFS2 so I cannot use ACLs. > >=20 > > > Not that I know of, but have you considered compiling apache with=20 > suexec? Assuming your other users have seperate logins, this might work.= =20 > You can have apache execute scripts as the appropriate user, not www.=20 > That way, a 700 permission should prevent other users from reading your= =20 > scripts. I read some stuff about this. I got the impression it required using PHP as a CGI, instead of mod_php. Am I wrong in thinking this? The overhead of using PHP as CGI is a little too high because the server is already pretty stretched... Thanks very much, -lewiz. --=20 I was so much older then, I'm younger than that now. --Bob Dylan, 1964. ------------------------------------------------------------------------ -| msn:purple@lewiz.net | jabber:lewiz@jabber.org | url:www.lewiz.org |- --17pEHd4RhPHOinZp Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFAKQGLItq0KFQv7T8RAgBPAKCW9eATXBR3EMqt1q7/G5ogTDtrmQCfZFXj ZzSnItbFThaiwY0uzCl7Fo0= =CcRi -----END PGP SIGNATURE----- --17pEHd4RhPHOinZp--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040210160635.GA7479>