|
Posted by "Richard Lynch" on 10/21/57 11:31
On Fri, November 4, 2005 2:36 pm, Bing Du wrote:
> Some functions need you to provide username and password, for instance
> odbc_connect. Even though the username/password just has minimum
> access
> privileges to the resource, putting it there in clear text in a script
> gives
> me heartburn. How do people handle username/password in such kind of
> cases?
> I'm sure there must be some way to store critical information in some
> encrypted format but it's still readable to scripts for authentication
> purpose. But don't know how. Any ideas or pointer would be greatly
> appreciated.
This is an age-old question.
First, let's address your current thinking:
"store critical information in some encrypted format"
Consider this:
Your PHP script has to decrypt that before it can use it.
If they can read the source to get the username/password (encrypted or
plaintext version) they can probably read the PHP source that decrypts
it.
Therefore, the encryption will be a very very very minor barrier.
Okay as a tiny part of a Defense in Depth, but not much of magic
bullet.
The ideal solution, really, would a root-only readable file, that
Apache would read before it de-roots itself, storing it in some kind
of protected memory space, not writable to disk, that could be read by
ONLY your PHP scripts, and not anybody else co-hosted on the same
shared server.
At that point, a hacker has to be rummaging through your actual RAM to
get your password. If they can do that well enough to find your
password, you probably can consider yourself as having lost the game
already. :-)
AFAIK, no such Apache Module exists. :-(
There are a lot of fairly easy things you can do, even on a share server:
Moving the file with the username/password outside the web tree, into
a directory only you can read, with a sub-directory/file PHP/Apache
can read, so that it's harder for others to "stumble" across it is a
start.
You have to dink with php.ini (or .htaccess, most likely)
include_path, but that's not that hard.
If you control httpd.conf on a dedicated server, you can consider
putting the username/password into Environment variables within only
the VirtualHost that needs them (I think that works). More about
that here http://phpsec.org/ I think.
httpd.conf can be root-only readable because Apache starts as root
(and then de-roots itself) after reading httpd.conf
That does make it hard for others to figure out other settings in
httpd.conf that affect their work, so you may want to use Apache
"include" directives (or whatever they are) if possible.
By the time you've done all that, encrypting the username/password and
then having the decryption code in plain view in your PHP script is
probably not all that useful, really...
As you may have noticed, the answer differs greatly depending on your
server setup: shared or dedicated and your general IT beauracracy (or
lack thereof) for changing httpd.conf and/or server settings.
You should probably Google and read a whole lot to see the full gamut
of other ideas. Be warned: Some of the published ideas are, ummmm,
not-so-good. Check the sources and their credentials and think for
yourself.
Start at http://phpsec.org to get grounded. Check at http://php.net/
and http://zend.com for official content, and then take the User
Contributed notes with a grain of salt. Then Google and use the whole
salt shaker. :-)
--
Like Music?
http://l-i-e.com/artists.htm
[Back to original message]
|