=?iso-8859-1?Q?=22Fa=DFhauer=2C_Wolfgang=2C_FCI3=22?= <[EMAIL PROTECTED] ads.net> wrote: >>>Hi, >>> >>>I want to build a database application based on mod_perl and Apache::DBI. >>>The goal of Apache::DBI is to get persistent database connections using >only >>>one database user because of resource limits. The problem I see is that >the >>>password for connecting to the database is clear readable in the perl >>>script. >>>Does anybody know how to hide that password? >>>I think, storing it in a file for reading by the script is not the right >way >>>(?). >>> >>>Thanks for help! >>> >>>- Wolfgang > >> Have you thought of running your webserver as some 'www' user? You can >> then make your scripts readonly by a 'dev' group which the www user and >> the developes are members of. >>CORRECT: >>'readonly' should be 'only readable' by > >Yes, that's our plan, too. But the risk still remains that someone will get >a look to the script. I think, there is a golden rule: Never put clear text >passwords in files. Those files are stored in archives by backup for >example. There maybe a lot of people (sysadmin, developer, ...) concerned with the webserver. So it's not easy to secure it.
Something we do is put the password in a file outside the document root. The script reads the file. If running with mod_perl, this can be in a file readable only by root read during server startup (assuming the server starts up as root). Then the password can be cached in memory. If it changes, a graceful restart might be sufficiant, but I haven't tried that yet -- most of our current code is PHP that we're are working on replacing. The last time I played with mod_perl and graceful restarts was the early 1.2x or late 1.1x mod_perl and it didn't always work well, iirc. I think some of that has been fixed. -- James Smith <[EMAIL PROTECTED]>, 979-862-3725 Texas A&M CIS Operating Systems Group, Unix