I'm on an ISP using Apache and Linux. I'm coding in PHP.
The problem is:
I need to store passwords and encryption keys somewhere secure.
I used to store them in files outside of the web path domain. i.e. not within
Code: Select all
http://mydomain.com/However on my ISP everybody is located under the directory /home/ and as such I _could_ write a PHP script to view all the directories and read any files with world read access located on the server.
So I'm aware these files are not secure on the local Linux server.
Now I've created a script to mkdir() a directory and touch the password files, write the code and chmod() to 0400 access.
I then invoked this script from the web using the Apache process, which effectively creates a read-only file accessible only to the Apache process.
The file is still outside the 'common' web domain directory structure for browsers.
I'm just wondering if there is another or better way to skin this cat?
Thank you for any thoughts in advance.
Oh, and no cats were harmed in the making of this post.
Tom.