|
|
Posted by Jamie on 10/19/70 11:46
In <1146331981.634291.288790@g10g2000cwb.googlegroups.com>,
"Chung Leong" <chernyshevsky@hotmail.com> mentions:
>Pointless rant. In a typical set up the database server isn't
>accessible to the outside world, so the risk of exposure through a
>misconfigured web server isn't that unreasonable to take. The database
>login/password is only useful to someone who can access the
>database--i.e. another account on the same server. Putting your config
>file your home directory does not prevent him from reading it.
>
>Ideally any sensitive info should be stored in httpd.conf, readable
>only by root.
I disagree.
If you don't intend to serve something through a web server, it shouldn't be in
web space.
Granted, I think all of us have at some point or another done it
just because it's convenient. For example, I'll sometimes store
library code in web space. It's easier. (and definately makes backups
easier)
The safest way to keep someone from accessing data that maybe you
didn't intend to be accessed is to keep it out of web space. (I say
safest, it's still not fool proof, if the machine itself is compromized
all bets are off.)
Reason this bugs me so much is that people have come to expect such
settings ARE stored on the web server. It's become such common
practice I wish it would stop.
Jamie
--
http://www.geniegate.com Custom web programming
guhzo_42@lnubb.pbz (rot13) User Management Solutions
Navigation:
[Reply to this message]
|