Date: 10 Feb 2004 10:12:09 -0500 From: Lowell Gilbert <freebsd-questions-local@be-well.ilk.org> To: Lewis Thompson <purple@lewiz.net> Subject: Re: Shell script containing passwords. Message-ID: <44isifarzq.fsf@be-well.ilk.org> In-Reply-To: <20040209233743.GA58010@lewiz.org> References: <20040209233743.GA58010@lewiz.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Lewis Thompson <purple@lewiz.net> writes: > I'm trying to write a script to use with the Apache auth plugin > mod_auth_any. I have the whole setup working, bar the script that does > the authentication. > > I am worried that because the script must be read/writeable by the > Apache user (www) that anybody that can write a PHP script on my machine > can read the auth script and read the passwords that would be contained > within -- those to my MySQL server. Why would the script be readable or writeable by any user? It only needs to be executable, right? > Is there any way I can have a script that is not readable by a user, > while still allowing that user to execute it? Maybe through using a > wrapper of some sort? I do not have UFS2 so I cannot use ACLs. > > Any suggestions for this as I'm stumped. Thanks very much, Check how Apache normally deals with this; I haven't used the auth module, but I can't believe that it requires insecure practices...
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44isifarzq.fsf>