From owner-freebsd-database  Tue Jun 13 15:54:15 2000
Delivered-To: freebsd-database@freebsd.org
Received: from ren.sasknow.com (ren.sasknow.com [207.195.92.131])
	by hub.freebsd.org (Postfix) with ESMTP id AAD1737B6D1
	for <freebsd-database@freebsd.org>; Tue, 13 Jun 2000 15:54:10 -0700 (PDT)
	(envelope-from ryan@sasknow.com)
Received: from localhost (ryan@localhost)
	by ren.sasknow.com (8.9.3/8.9.3) with ESMTP id QAA20965
	for <freebsd-database@freebsd.org>; Tue, 13 Jun 2000 16:55:59 -0600 (CST)
	(envelope-from ryan@sasknow.com)
Date: Tue, 13 Jun 2000 16:55:59 -0600 (CST)
From: Ryan Thompson <ryan@sasknow.com>
To: freebsd-database@freebsd.org
Subject: Securing Perl::DBI connections
Message-ID: <Pine.BSF.4.21.0006131647250.17318-100000@ren.sasknow.com>
Organization: SaskNow Technologies [www.sasknow.com]
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-database@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG


Hi all,

I have several mySQL users @localhost who have various privileges on
various databases.  While no outside hosts are allowed to connect to mySQL
(and I have even blocked the ports on our uplink firewall), there is a
small chance that a user with local telnet access could discover passwords
for a few of the databases that our backend Perl applications use.  There
is no really sensitive information up for grabs, but I *do* want to keep
things secure, if for no other reason than to ensure the integrity of the
databases.

The problem lies in the storage of passwords.  Automated programs need to
store the password.  And, when we're talking about a world-readable
clear-text Perl program, we're talking about clear-text passwords.  Now, I
could beef up permissions somewhat, but since most of these programs run
under Apache, they must be executable by "nobody".  FWIW, I don't store
passwords in the programs themselves, just the support modules which exist
elsewhere on the system (completely off of our web tree).

Any ideas on how I could ensure that only a few of my programs can have
access to a mySQL database, without putting the password clear-text for
anyone with a shell account to see?

- Ryan

-- 
  Ryan Thompson <ryan@sasknow.com>
  Systems Administrator, Accounts
  Phone: +1 (306) 664-1161

  SaskNow Technologies     http://www.sasknow.com
  #106-380 3120 8th St E   Saskatoon, SK  S7H 0W2



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-database" in the body of the message