[olug] protecting MySQL password on multi-user system
noel at metc.net
Wed Apr 26 00:47:19 UTC 2006
Found this link. Looks to me like access to the php.ini file or use of
apache variables might do the trick for you. One other thing I ran
across mentioned being sure your file was parsed my php and not
something that would show as clear text if served up by apache. ie:
I'm no guru. I'm willing to hear some more input.
Eric P wrote:
> It looks like apache is being run under the user name 'noname'. Does that make sense?
> $ ps uax|grep apache
> noname ... T Apr18 0:00 /usr/local/apache/bin/httpd -DSSL
> However, it won't let me chgrp or chown to 'noname'
> $ chown noname file.php
> chown: changing ownership of `testing': Operation not permitted
> Question: if the file's perms are 400, wouldn't someone still be able to include the file in their own web script to see
> the contents?
> FYI (to answer Phil), I'm currently the owner of the file and 'users' is the group.
> Nick Veys wrote:
>> If you had that file owned by the web server process owner, you could
>> chmod 400 the file and it should work, and be pretty safe.
>> On 4/24/06, Eric P <eric.maillist at gmail.com> wrote:
>>> I'm on a multi-user Linux system running PHP and MySQL.
>>> Whenever I do an SQL query, I include a file just under the web root w/the MySQL username and password.
>>> Even though it's under the web root, I have to keep this file's permission at 644 permissions, or else I get 'permission
>>> Am I missing something here? I definately don't want this file readable by 'other'.
>>> Any advice for the correct approach to this would be greatly appreciated!
>>> Eric Pierce
> OLUG mailing list
> OLUG at olug.org
More information about the OLUG