[olug] protecting MySQL password on multi-user system
Noel Leistad
noel at metc.net
Wed Apr 26 00:53:06 UTC 2006
LINK:
http://us3.php.net/function.mysql-connect
Really no guru..:-(
Noel Leistad wrote:
> Found this link. Looks to me like access to the php.ini file or use of
> apache variables might do the trick for you. One other thing I ran
> across mentioned being sure your file was parsed my php and not
> something that would show as clear text if served up by apache. ie:
> db_connect.inc.php
>
> I'm no guru. I'm willing to hear some more input.
>
> Noel L
>
> Eric P wrote:
>
>> It looks like apache is being run under the user name 'noname'. Does that make sense?
>>
>> $ ps uax|grep apache
>> ...
>> noname ... T Apr18 0:00 /usr/local/apache/bin/httpd -DSSL
>>
>> However, it won't let me chgrp or chown to 'noname'
>> $ chown noname file.php
>> chown: changing ownership of `testing': Operation not permitted
>>
>> Question: if the file's perms are 400, wouldn't someone still be able to include the file in their own web script to see
>> the contents?
>>
>> FYI (to answer Phil), I'm currently the owner of the file and 'users' is the group.
>>
>> Thanks,
>> Eric
>>
>> Nick Veys wrote:
>>
>>
>>> If you had that file owned by the web server process owner, you could
>>> chmod 400 the file and it should work, and be pretty safe.
>>>
>>> On 4/24/06, Eric P <eric.maillist at gmail.com> wrote:
>>>
>>>
>>>
>>>> I'm on a multi-user Linux system running PHP and MySQL.
>>>>
>>>> Whenever I do an SQL query, I include a file just under the web root w/the MySQL username and password.
>>>>
>>>> Even though it's under the web root, I have to keep this file's permission at 644 permissions, or else I get 'permission
>>>> denied'.
>>>>
>>>> Am I missing something here? I definately don't want this file readable by 'other'.
>>>>
>>>> Any advice for the correct approach to this would be greatly appreciated!
>>>>
>>>> Eric Pierce
>>>>
>>>>
>> _______________________________________________
>> OLUG mailing list
>> OLUG at olug.org
>> http://lists.olug.org/mailman/listinfo/olug
>>
>>
>>
>
>
> _______________________________________________
> OLUG mailing list
> OLUG at olug.org
> http://lists.olug.org/mailman/listinfo/olug
>
>
More information about the OLUG
mailing list