On Tue, Sep 16, 2008 at 07:06:10PM -0700, Don Russell wrote: > > I have some php classes I use for accessing mySQL databases on > localhost. > Somewhere in there, I have the mySQL userid/password so the php script > can access the data. > What is the normal practice for concealing that type of information? > Keeping classes in /usr/share/php seems to imply they need to be "world > readable", especially if they are going to be used by CLI scripts as > well as web page scripts. > This is on my home machine, it's not like I'm trying to protect a > million credit card numbers or anything like that. But, I am interested > in being "security aware"... > Thanks for any tips/pointers. If you want to get it close to right to look at what the ssh and sshd folk do. In general the last thing you want to do is add pass words to your php. Next to last but better is placing them in a file that has read permissions by only 'you' but not by apache or any process that might be hacked. Better to have the mySQL data base info and pass words in a startup config file establish a connection to the data base then having read those bits do a setuid/setgid transition to a safe account that cannot read or write them. One advantage of using files is that the same code can be reused say in the case of multiple hosted customers. Better yet is to have the application prompt for the keys one time... The user can then use a small handful of tricks to mouse cut and paste them on to the prompt including a good personal memory. One trick is to have encripted keys on a USB key that can be removed. See also something like password safe. http://www.schneier.com/blog/archives/2005/06/password_safe.html Do a bit of homework and isolate any authentication stuff in your code to a single file so you can fix it and audit it. php has a bad track record... use caution. Some of the public examples in the early days of php are badly flawed. Webalizer is one historic bad example to search the web and change logs. -- T o m M i t c h e l l Found me a new hat, now what? -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
