Re: Permissions for index.php -- hide MySQL password?

Carsten Klapp schrieb:
> On Monday, December 22, 2003, at 12:10  pm, Reini Urban wrote:
> > that's unfortunately a mysql architectural problem. their fault.
> > every perl and php programmer must deal with that solution somehow.
> >
> > one can read in a local file with the password, which is not in
> > the web docroot, but it must be passed cleartext to the database.
> > since php's are normally associated with the php engine, and no one 
> > local access to the webserver (shell or ftp account), it's quite secure.
> >
> > for important mysql passwords in php apps, one stores the passwords in 
> > a secure location. but it must be readable by the apache user, so 
> > anyone with problematic/erratic php script (there are thousands, I 
> > worked for a very large ISP) will be able to read it, if he knows where.
> >
> > > It seems like a security problem, since index.php must be
> > > readable by the web server; it might be possible for anyone
> > > with a login on the project servers to read the MySQL password.
> > > I've read through archives for PHP, MySQL, and PhpWiki, but
> > > there doesn't seem to be a definitive solution. It seems the
> > > standard operating procedure is to ask the SF sysadmins to
> > > "chgrp nobody index.php". Is there another way?
> > > It may be not so much of an issue, since by design, a wiki
> > > is pretty much wide open for abuse anyway. But it seems
> > > like the MySQL-password-in-a-script problem must be generic to many 
> > > SF projects that use MySQL.
> >
> > yes, see above.
> >
> > > How was this problem solved for the PhpWiki project
> > > demonstration wiki?
> >
> > password stored plaintext in index.php.
> > no one without shell account is able to see the content of index.php.

> However, if anyone does figure out how to use an encrypted database 
> password in PhpWiki's index.php, I'm sure such a modification would be 
> welcome.

as I explained this is impossible.
mysql_connect() expects the password to be plaintext.
see http://www.mysql.com/doc/en/mysql_real_connect.html
http://www.mysql.com/doc/en/Password_security.html and
http://www.mysql.com/doc/en/Secure_connections.html

Mysql supports SSL since 4.0.0, but(!) you have to compile your own 
client and server. and it's quite slow since it encrypts the whole 
protocol data exchange, not only auth.


BTW: MySQL 5.0.0alpha came out right now. nice christmas present.
stored procedures finally, as already presented at the last mysql 
conference.
--
Reini Urban
http://xarch.tu-graz.ac.at/home/rurban/



-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click