Date: Tue, 10 Feb 2004 16:36:13 +0000 From: Peter Risdon <peter@circlesquared.com> To: Lewis Thompson <purple@lewiz.net> Cc: FreeBSD-questions <questions@freebsd.org> Subject: Re: Shell script containing passwords. Message-ID: <4029087D.7040604@circlesquared.com> In-Reply-To: <20040210160635.GA7479@lewiz.org> References: <20040209233743.GA58010@lewiz.org> <4028FF18.6090302@circlesquared.com> <20040210160635.GA7479@lewiz.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Lewis Thompson wrote: >On Tue, Feb 10, 2004 at 03:56:08PM +0000, Peter Risdon wrote: > > >>Lewis Thompson wrote: >> >> >>>I am worried that because the script must be read/writeable by the >>>Apache user (www) that anybody that can write a PHP script on my machine >>>can read the auth script and read the passwords that would be contained >>>within -- those to my MySQL server. >>> >>> > > > >>All you can do really is store the passwords themselves in an include >>file that you put in the most secure place possible, preferably not in >>webspace. But I imagine you have this covered. >> >> > >Yeah, but this is really security through obscurity, not something I'm >keen on ;) > > That's kind of what we're talking about here, though. Keeping a file's contents inaccessible. > > >>>Is there any way I can have a script that is not readable by a user, >>>while still allowing that user to execute it? Maybe through using a >>>wrapper of some sort? I do not have UFS2 so I cannot use ACLs. >>> >>> >>> >>> >>Not that I know of, but have you considered compiling apache with >>suexec? Assuming your other users have seperate logins, this might work. >>You can have apache execute scripts as the appropriate user, not www. >>That way, a 700 permission should prevent other users from reading your >>scripts. >> >> > >I read some stuff about this. I got the impression it required using >PHP as a CGI, instead of mod_php. Am I wrong in thinking this? > Yes, you can use mod_php with suexec. Makes most sense with virtual hosts, because each host must run as a single user. PWR.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4029087D.7040604>