On Mon, 6 Jan 2003, Octavian Rasnita wrote: > Date: Mon, 6 Jan 2003 08:33:48 +0200 > From: Octavian Rasnita <[EMAIL PROTECTED]> > To: Larry Brown <[EMAIL PROTECTED]>, > MySQL List <[EMAIL PROTECTED]> > Subject: Re: Hiding the password > > No, we are not talking about the staff of the hosting company. > > The hosting company runs a single Apache server on a single account on that > server for all sites that are sitting on that computer. > If the user that runs the web server has access to your files, this means > that everyone has access. > Its possible to configure a single virtual host to run as a different user and group. It still won't protect you from people at the hosting company, but other hosting clients should be isolated.
> > Teddy, > Teddy's Center: http://teddy.fcc.ro/ > Email: [EMAIL PROTECTED] > > ----- Original Message ----- > From: "Larry Brown" <[EMAIL PROTECTED]> > To: "MySQL List" <[EMAIL PROTECTED]> > Sent: Saturday, January 04, 2003 9:50 PM > Subject: RE: Hiding the password > > > First, why are we conceding that "everyone can find out your id and > password"? Your hosting company has your site separated from other > customers' sites right? So we are just talking about the development team > for your site being privy to this information. > > Second, if you are referring to the staff of the hosting company, you can't > avoid their ability to access data via your login scripts period. As far as > I know they can view all of your communication with the MySQL database and > can get that information. If you want tight security hosting it yourself is > a must in my view. > > Larry S. Brown > Dimension Networks, Inc. > (727) 723-8388 > > -----Original Message----- > From: wcb [mailto:[EMAIL PROTECTED]] > Sent: Saturday, January 04, 2003 1:51 PM > To: Mark; MySQL > Subject: Re: Hiding the password > > It isn't at all difficult to grasp. Please carefully (and exercising a > certain amount of patience) read my post and the previous post upon which my > post was based. We are acknowledging that EVERYONE can find out your id and > password. The question reformulated is: > > "Given that one's MySql environment may not be accessible in terms of privs > (which is the case for a lot of people, who are paying for hosting by a > third party) and given that we CAN'T hide the id/password combination, is > the standard arrangement that hosts use (which is to ensure that only > localhost can access the database) adequate to prevent people from doing > unwanted things in your database? NOTE that I'm assuming that one has a > script on localhost, and all users are from another domain, and also > assuming that the script is properly set up to constrain the activities of > users, does it even matter that people can determine the id/password > combination??" > > Thanks for patient responses. > > Cheers! > > -warren > > > > > > > > Perhaps gurus can comment on what I'm suggesting here - if the database > is > > > set up so that only "localhost" can access it, then you can use a php or > > > PERL script to allow people from elsewhere to cruise in and make queries > > > as your script allows. > > > > Why is this so difficult to grasp? As I, and many others, have pointed > out, > > repeatedly, it does not matter how many layers you wrap around your > > password-retrieval code, as soon as you make the end-result > > accessible/readable by your web-CGI, you have done just that: made the > > user/password accessible by your web-daemon -- hence, made it accessible > to > > everyone with access to your web-server. > > > > And no, adding some sort of access-control within your CGI is equally > > useless: as a user being hosted on your web-server I would not bother to > run > > your CGI, but simply copy it for ocular inspection. :) > > > > > Certainly I'd appreciate comments on this by people in the know, because > > > it is an issue that so many people face... > > > > Perhaps those people should do what I do: create special MySQL users > > (@localhost), unprivileged to the max, with only very narrow SELECT > > privileges to the databases they are supposed to read data from, and use > > those users to access the MySQL server in your CGI. > > > > - Mark > > > > > > --------------------------------------------------------------------- > > Before posting, please check: > > http://www.mysql.com/manual.php (the manual) > > http://lists.mysql.com/ (the list archive) > > > > To request this thread, e-mail <[EMAIL PROTECTED]> > > To unsubscribe, e-mail <[EMAIL PROTECTED]> > > Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php > > > > > --------------------------------------------------------------------- > Before posting, please check: > http://www.mysql.com/manual.php (the manual) > http://lists.mysql.com/ (the list archive) > > To request this thread, e-mail <[EMAIL PROTECTED]> > To unsubscribe, e-mail > <[EMAIL PROTECTED]> > Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php > > > > --------------------------------------------------------------------- > Before posting, please check: > http://www.mysql.com/manual.php (the manual) > http://lists.mysql.com/ (the list archive) > > To request this thread, e-mail <[EMAIL PROTECTED]> > To unsubscribe, e-mail <[EMAIL PROTECTED]> > Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php > > > > > --------------------------------------------------------------------- > Before posting, please check: > http://www.mysql.com/manual.php (the manual) > http://lists.mysql.com/ (the list archive) > > To request this thread, e-mail <[EMAIL PROTECTED]> > To unsubscribe, e-mail <[EMAIL PROTECTED]> > Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php > Sincerely, William Mussatto, Senior Systems Engineer CyberStrategies, Inc ph. 909-920-9154 ext. 27 --------------------------------------------------------------------- Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail <[EMAIL PROTECTED]> To unsubscribe, e-mail <[EMAIL PROTECTED]> Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
