From owner-freebsd-questions Sat Jun 17 14: 4:51 2000 Delivered-To: freebsd-questions@freebsd.org Received: from smtppop3.gte.net (smtppop3pub.gte.net [206.46.170.22]) by hub.freebsd.org (Postfix) with ESMTP id BB23E37B6BE for ; Sat, 17 Jun 2000 14:04:47 -0700 (PDT) (envelope-from res03db2@gte.net) Received: from evrtwa1-ar4-146-005.dsl.gtei.net (evrtwa1-ar4-146-005.dsl.gtei.net [4.34.146.5]) by smtppop3.gte.net with ESMTP ; id QAA2934813 Sat, 17 Jun 2000 16:03:46 -0500 (CDT) Date: Sat, 17 Jun 2000 14:04:33 -0700 (PDT) From: The Clark Family X-Sender: res03db2@orthanc.dsl.gtei.net To: Ryan Thompson Cc: freebsd-questions@FreeBSD.ORG Subject: Re: Securing Perl::DBI connections In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG FWIW. Apache can run as a different user than nobody. I usually create a user and group called apache for just that purpose. Acessing databases through DBI doesn't preclude using passwords and logins on the databases.(?) You perl code can also encrypt passwords before storing them. [RC] On Sat, 17 Jun 2000, Ryan Thompson wrote: > > Hi all, > > I have several mySQL users @localhost who have various privileges on > various databases. While no outside hosts are allowed to connect to mySQL > (and I have even blocked the ports on our uplink firewall), there is a > small chance that a user with local telnet access could discover passwords > for a few of the databases that our backend Perl applications use. There > is no really sensitive information up for grabs, but I *do* want to keep > things secure, if for no other reason than to ensure the integrity of the > databases. > > The problem lies in the storage of passwords. Automated programs need to > store the password. And, when we're talking about a world-readable > clear-text Perl program, we're talking about clear-text passwords. Now, I > could beef up permissions somewhat, but since most of these programs run > under Apache, they must be executable by "nobody". FWIW, I don't store > passwords in the programs themselves, just the support modules which exist > elsewhere on the system (completely off of our web tree). > > Any ideas on how I could ensure that only a few of my programs can have > access to a mySQL database, without putting the password clear-text for > anyone with a shell account to see? > > - Ryan > > -- > Ryan Thompson > Systems Administrator, Accounts > Phone: +1 (306) 664-1161 > > SaskNow Technologies http://www.sasknow.com > #106-380 3120 8th St E Saskatoon, SK S7H 0W2 > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message