Assuming you create a Perl module outside of the webserver's
document root, the tricky thing is that for cgi scripts, the
user that the web server is running as needs at least "read"
access to that file that contains the DB passwords.
What platform are you on?
Assuming a *nix platform, I suppose you could create a group
(just_us) that would consist of you, your boss, and the user
the webserver runs under, and then
/var/our_perl_modules
---------------------
DB.pm - contains the DB password $my_db_pw
have DB.pm file owner "john", group "just_us", and have
permissions 750 (read, write, execute for owner, and
read, execute for group, and nothing
for world)
/var/www/cgi-bin/my_script.cgi
------------------------------
use lib '/var/our_perl_modules';
use DB;
...
my $dbh = DBI->connect($dsn,
$DB::my_db_user,
$DB::my_db_pw,
{ RaiseError => 1, PrintError => 0, AutoCommit => 1 }
);
Note: This is all off the top of my head - it is untested, and
it wouldn't surprise me if it's not syntactically correct, but
hopefully it shows you how it might be done. Read up on Perl
modules by doing
perldoc perlmod
at a command prompt. Doing 'perldoc perl' I found these perldocs
related to modules:
perlmod Perl modules: how they work
perlmodlib Perl modules: how to write and use
perlmodstyle Perl modules: how to write modules with style
perlmodinstall Perl modules: how to install from CPAN
perlnewmod Perl modules: preparing a new module for distribution
But if there are other administrators(with "root" access)
on the machine, they'll be able to get at your DB.pm by
just su'ing to one of the user acccounts in the group.
I'm no security expert, and hopefully I haven't mis-stated
anything(please correct me if I'm wrong), but maybe that
gives you an idea or two.
One other thing - if your webserver is Apache, you might
want to check out "suexec". That allows you to locate cgi
scripts underneath a *regular* users home directory, and run
those scripts as that regular user(they won't run as the
webserver user, they will actually run as the user whose
home directory it is).
HTH.
--
Hardy Merrill
Senior Software Engineer
Red Hat, Inc.
John Gedeon [[EMAIL PROTECTED]] wrote:
> I write/maintain web applications at my job, and several of them are in
> perl and use the perl dbi to connect to an oracle db. however, the
> passwords are displayed in the files and are accessible by many people
> outside of our group (since all the cgi files are on servers accessible by
> many people.) Is there a way to hide the passwords in a file so that perl
> can still connect to the db but now allow anyone but me and maybe my
> supervisor to see the password?
> Thanks.
> John Gedeon
>
> <>< Proverbs 3:5 "Trust in the Lord with all your heart and lean not on
> your own understanding;"
