[olug] protecting MySQL password on multi-user system
Noel Leistad
noel at metc.net
Wed Apr 26 00:47:19 UTC 2006
Found this link. Looks to me like access to the php.ini file or use of
apache variables might do the trick for you. One other thing I ran
across mentioned being sure your file was parsed my php and not
something that would show as clear text if served up by apache. ie:
db_connect.inc.php
I'm no guru. I'm willing to hear some more input.
Noel L
Eric P wrote:
> It looks like apache is being run under the user name 'noname'. Does that make sense?
>
> $ ps uax|grep apache
> ...
> noname ... T Apr18 0:00 /usr/local/apache/bin/httpd -DSSL
>
> However, it won't let me chgrp or chown to 'noname'
> $ chown noname file.php
> chown: changing ownership of `testing': Operation not permitted
>
> Question: if the file's perms are 400, wouldn't someone still be able to include the file in their own web script to see
> the contents?
>
> FYI (to answer Phil), I'm currently the owner of the file and 'users' is the group.
>
> Thanks,
> Eric
>
> Nick Veys wrote:
>
>> If you had that file owned by the web server process owner, you could
>> chmod 400 the file and it should work, and be pretty safe.
>>
>> On 4/24/06, Eric P <eric.maillist at gmail.com> wrote:
>>
>>
>>> I'm on a multi-user Linux system running PHP and MySQL.
>>>
>>> Whenever I do an SQL query, I include a file just under the web root w/the MySQL username and password.
>>>
>>> Even though it's under the web root, I have to keep this file's permission at 644 permissions, or else I get 'permission
>>> denied'.
>>>
>>> Am I missing something here? I definately don't want this file readable by 'other'.
>>>
>>> Any advice for the correct approach to this would be greatly appreciated!
>>>
>>> Eric Pierce
>>>
> _______________________________________________
> OLUG mailing list
> OLUG at olug.org
> http://lists.olug.org/mailman/listinfo/olug
>
>
More information about the OLUG
mailing list