Re: AW: Apache::DBI and password security

[James G Smith <JG...@TAMU.Edu>]

=?iso-8859-1?Q?=22Fa=DFhauer=2C_Wolfgang=2C_FCI3=22?= <wolfgang.fasshauer@lfk.e
ads.net> wrote:
>>>Hi,
>>>
>>>I want to build a database application based on mod_perl and Apache::DBI.
>>>The goal of Apache::DBI is to get persistent database connections using
>only
>>>one database user because of resource limits. The problem I see is that
>the
>>>password for connecting to the database is clear readable in the perl
>>>script.
>>>Does anybody know how to hide that password?
>>>I think, storing it in a file for reading by the script is not the right
>way
>>>(?).
>>>
>>>Thanks for help!
>>>
>>>- Wolfgang
>
>> Have you thought of running your webserver as some 'www' user?  You can
>> then make your scripts readonly by a 'dev' group which the www user and
>> the developes are members of.
>>CORRECT:
>>'readonly' should be 'only readable' by
>
>Yes, that's our plan, too. But the risk still remains that someone will get
>a look to the script. I think, there is a golden rule: Never put clear text
>passwords in files. Those files are stored in archives by backup for
>example. There maybe a lot of people (sysadmin, developer, ...) concerned
with the webserver. So it's not easy to secure it.

Something we do is put the password in a file outside the document
root.  The script reads the file.  If running with mod_perl, this can
be in a file readable only by root read during server startup
(assuming the server starts up as root).  Then the password can be
cached in memory.  

If it changes, a graceful restart might be sufficiant, but I haven't
tried that yet -- most of our current code is PHP that we're are
working on replacing.  The last time I played with mod_perl and
graceful restarts was the early 1.2x or late 1.1x mod_perl and it
didn't always work well, iirc.  I think some of that has been fixed.
-- 
James Smith <JG...@TAMU.Edu>, 979-862-3725
Texas A&M CIS Operating Systems Group, Unix