Help - Securing passwords on a Linux ISP
Posted: Sat Nov 04, 2006 10:12 pm
This post is a bit Linux, SQL, Apache and PHP so I put it in security.
I'm on an ISP using Apache and Linux. I'm coding in PHP.
The problem is:
I need to store passwords and encryption keys somewhere secure.
I used to store them in files outside of the web path domain. i.e. not within
The password files (just define statement in a php file) need to have world read access, otherwise the Apache process can not read them to tie them to the SQL database connection and etc.
However on my ISP everybody is located under the directory /home/ and as such I _could_ write a PHP script to view all the directories and read any files with world read access located on the server.
So I'm aware these files are not secure on the local Linux server.
Now I've created a script to mkdir() a directory and touch the password files, write the code and chmod() to 0400 access.
I then invoked this script from the web using the Apache process, which effectively creates a read-only file accessible only to the Apache process.
The file is still outside the 'common' web domain directory structure for browsers.
I'm just wondering if there is another or better way to skin this cat?
Thank you for any thoughts in advance.
Oh, and no cats were harmed in the making of this post.
Tom.
I'm on an ISP using Apache and Linux. I'm coding in PHP.
The problem is:
I need to store passwords and encryption keys somewhere secure.
I used to store them in files outside of the web path domain. i.e. not within
Code: Select all
http://mydomain.com/However on my ISP everybody is located under the directory /home/ and as such I _could_ write a PHP script to view all the directories and read any files with world read access located on the server.
So I'm aware these files are not secure on the local Linux server.
Now I've created a script to mkdir() a directory and touch the password files, write the code and chmod() to 0400 access.
I then invoked this script from the web using the Apache process, which effectively creates a read-only file accessible only to the Apache process.
The file is still outside the 'common' web domain directory structure for browsers.
I'm just wondering if there is another or better way to skin this cat?
Thank you for any thoughts in advance.
Oh, and no cats were harmed in the making of this post.
Tom.