[olug] protecting MySQL password on multi-user system

Nick Veys psylence519 at gmail.com
Wed Apr 26 02:49:15 UTC 2006


As root you should be able to set that file as owned by 'noname'.

If the permissions are 400, only the owner can read it, so yes,
technically anyone who can get a script to run as 'noname' user can
include the script.  Its not bulletproof :)

On 4/25/06, Eric P <eric.maillist at gmail.com> wrote:
> It looks like apache is being run under the user name 'noname'.  Does that make sense?
>
> $ ps uax|grep apache
> ...
> noname    ... T    Apr18   0:00 /usr/local/apache/bin/httpd -DSSL
>
> However, it won't let me chgrp or chown to 'noname'
> $ chown noname file.php
> chown: changing ownership of `testing': Operation not permitted
>
> Question: if the file's perms are 400, wouldn't someone still be able to include the file in their own web script to see
> the contents?
>
> FYI (to answer Phil), I'm currently the owner of the file and 'users' is the group.
>
> Thanks,
> Eric
>
> Nick Veys wrote:
> > If you had that file owned by the web server process owner, you could
> > chmod 400 the file and it should work, and be pretty safe.
> >
> > On 4/24/06, Eric P <eric.maillist at gmail.com> wrote:
> >
> >>I'm on a multi-user Linux system running PHP and MySQL.
> >>
> >>Whenever I do an SQL query, I include a file just under the web root w/the MySQL username and password.
> >>
> >>Even though it's under the web root, I have to keep this file's permission at 644 permissions, or else I get 'permission
> >>denied'.
> >>
> >>Am I missing something here?  I definately don't want this file readable by 'other'.
> >>
> >>Any advice for the correct approach to this would be greatly appreciated!
> >>
> >>Eric Pierce
> _______________________________________________
> OLUG mailing list
> OLUG at olug.org
> http://lists.olug.org/mailman/listinfo/olug
>



More information about the OLUG mailing list