Help - Securing passwords on a Linux ISP

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
Dr.Goodvibes
Forum Newbie
Posts: 19
Joined: Wed May 24, 2006 10:14 am
Location: New Zealand

Help - Securing passwords on a Linux ISP

Post by Dr.Goodvibes »

This post is a bit Linux, SQL, Apache and PHP so I put it in security. :)

I'm on an ISP using Apache and Linux. I'm coding in PHP.

The problem is:

I need to store passwords and encryption keys somewhere secure.
I used to store them in files outside of the web path domain. i.e. not within

Code: Select all

http://mydomain.com/
The password files (just define statement in a php file) need to have world read access, otherwise the Apache process can not read them to tie them to the SQL database connection and etc.

However on my ISP everybody is located under the directory /home/ and as such I _could_ write a PHP script to view all the directories and read any files with world read access located on the server.
So I'm aware these files are not secure on the local Linux server.

Now I've created a script to mkdir() a directory and touch the password files, write the code and chmod() to 0400 access.
I then invoked this script from the web using the Apache process, which effectively creates a read-only file accessible only to the Apache process.
The file is still outside the 'common' web domain directory structure for browsers.

I'm just wondering if there is another or better way to skin this cat?

Thank you for any thoughts in advance.

Oh, and no cats were harmed in the making of this post. :wink:

Tom.
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

Everyone that can create scripts that are executed by the webserver can write a script that reads those files...
Dr.Goodvibes
Forum Newbie
Posts: 19
Joined: Wed May 24, 2006 10:14 am
Location: New Zealand

Post by Dr.Goodvibes »

That's very true, however, I'm hopefully not making it easy for them.
I guess I should obfuse the file in some way too.
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

How would that help??? You still have a script that needs to know where the passwords are stored (if you didn't, you wouldn't be storing the passwords in the first place :))...
Dr.Goodvibes
Forum Newbie
Posts: 19
Joined: Wed May 24, 2006 10:14 am
Location: New Zealand

Post by Dr.Goodvibes »

How would that help, well... probably wouldn't if someone decided their mission in life was to get the passwords come hell or high water.
However, if you just leave things lying around in world read mode files, there is a higher chance someone up to no good on the local server will find them and go, wwoooo, that's interesting.

I guess I was wondering what do other people do on shared Unix/Linux systems when it comes to Database passwords and etc?

Moving the passwords out of the web domain is fine when you're in control of the 'complete' system however us plebs on ISPs....
Post Reply