Posted by Rob Tanner on 03/02/05 06:27

John,

We're a four year college. Some maintainers are faculty, some are
staff and some are work-study (students) and centrally we have little
say over who can and can't. We use webdav but people inevitably share
passwords (policies against doing such not withstanding) and that's a
problem we can do little about until after the fact. Back in the days
of cgi when executables were only allowed in cgi-bin which was
exclusively under the control of the webmaster, passwords could be put
into root-only readable files and read up by apache into it's
environment, but that kind of control is unacceptable today in a
liberal arts college environment. So the question is, how do we
protect ourselves from folks who misbehave (after all, I do lock my
front door even though in theory I trust my neighbors).

-- Rob

--On Tuesday, March 01, 2005 07:57:31 PM -0500 John Holmes
<holmes072000@charter.net> wrote:

> Rob Tanner wrote:
>> WE have a number of PHP webpages that access one of several MySql
>> databases and while the PHP files that contain the passwords cannot
>> be accessed via the web, we are becoming increasingly concerned over
>> the possibility of other webpage maintainers viewing those files.
>> How have other folks protected database passwords needed by PHP apps?
>
> Who are these "other webpage maintainers" and why do they have access
> to your PHP source code? This isn't a PHP issue. The MySQL password
> has to be in a file as plain text; there's no getting around that (as
> recently discussed on here). Your issue is controlling access to the
> machine and the files, so is an OS/policy/trust issue, imo.



--
Rob Tanner
UNIX Services Manager
Linfield College, McMinnville OR

[Back to original message]