[olug] protecting MySQL password on multi-user system
Eric P
eric.maillist at gmail.com
Tue Apr 25 23:48:10 UTC 2006
It looks like apache is being run under the user name 'noname'. Does that make sense?
$ ps uax|grep apache
...
noname ... T Apr18 0:00 /usr/local/apache/bin/httpd -DSSL
However, it won't let me chgrp or chown to 'noname'
$ chown noname file.php
chown: changing ownership of `testing': Operation not permitted
Question: if the file's perms are 400, wouldn't someone still be able to include the file in their own web script to see
the contents?
FYI (to answer Phil), I'm currently the owner of the file and 'users' is the group.
Thanks,
Eric
Nick Veys wrote:
> If you had that file owned by the web server process owner, you could
> chmod 400 the file and it should work, and be pretty safe.
>
> On 4/24/06, Eric P <eric.maillist at gmail.com> wrote:
>
>>I'm on a multi-user Linux system running PHP and MySQL.
>>
>>Whenever I do an SQL query, I include a file just under the web root w/the MySQL username and password.
>>
>>Even though it's under the web root, I have to keep this file's permission at 644 permissions, or else I get 'permission
>>denied'.
>>
>>Am I missing something here? I definately don't want this file readable by 'other'.
>>
>>Any advice for the correct approach to this would be greatly appreciated!
>>
>>Eric Pierce
More information about the OLUG
mailing list