From owner-freebsd-questions@FreeBSD.ORG Tue Feb 10 08:35:47 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E4CAD16A4CE for ; Tue, 10 Feb 2004 08:35:47 -0800 (PST) Received: from dyer.circlesquared.com (host217-45-219-83.in-addr.btopenworld.com [217.45.219.83]) by mx1.FreeBSD.org (Postfix) with ESMTP id 37DE543D1D for ; Tue, 10 Feb 2004 08:35:42 -0800 (PST) (envelope-from peter@circlesquared.com) Received: from circlesquared.com (localhost.petanna.net [127.0.0.1]) i1AGaDBX022948; Tue, 10 Feb 2004 16:36:23 GMT (envelope-from peter@circlesquared.com) Message-ID: <4029087D.7040604@circlesquared.com> Date: Tue, 10 Feb 2004 16:36:13 +0000 From: Peter Risdon User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.5b) Gecko/20031102 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Lewis Thompson References: <20040209233743.GA58010@lewiz.org> <4028FF18.6090302@circlesquared.com> <20040210160635.GA7479@lewiz.org> In-Reply-To: <20040210160635.GA7479@lewiz.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: FreeBSD-questions Subject: Re: Shell script containing passwords. X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Feb 2004 16:35:48 -0000 Lewis Thompson wrote: >On Tue, Feb 10, 2004 at 03:56:08PM +0000, Peter Risdon wrote: > > >>Lewis Thompson wrote: >> >> >>>I am worried that because the script must be read/writeable by the >>>Apache user (www) that anybody that can write a PHP script on my machine >>>can read the auth script and read the passwords that would be contained >>>within -- those to my MySQL server. >>> >>> > > > >>All you can do really is store the passwords themselves in an include >>file that you put in the most secure place possible, preferably not in >>webspace. But I imagine you have this covered. >> >> > >Yeah, but this is really security through obscurity, not something I'm >keen on ;) > > That's kind of what we're talking about here, though. Keeping a file's contents inaccessible. > > >>>Is there any way I can have a script that is not readable by a user, >>>while still allowing that user to execute it? Maybe through using a >>>wrapper of some sort? I do not have UFS2 so I cannot use ACLs. >>> >>> >>> >>> >>Not that I know of, but have you considered compiling apache with >>suexec? Assuming your other users have seperate logins, this might work. >>You can have apache execute scripts as the appropriate user, not www. >>That way, a 700 permission should prevent other users from reading your >>scripts. >> >> > >I read some stuff about this. I got the impression it required using >PHP as a CGI, instead of mod_php. Am I wrong in thinking this? > Yes, you can use mod_php with suexec. Makes most sense with virtual hosts, because each host must run as a single user. PWR.