How to secure database password? (was Re: Perl/DBI newbie: password storage / security question)

[zedgar]

Hello,

Many thanks to R. Joseph Newton, Motherofperls, essential quint and Chuck Fox for 
answering my questions, however it is still not what I was asking about. My previous 
posts were long and maybe unclear so I'll try to get straight to the point this time, 
adding more details at the bottom of my post.

It is actually an extremely common situation: There is a CGI script written in Perl. 
It is a frontend to an SQL database.

The script has to connect to the database so it has to send a password. I need that 
password to be secure. I am not interested in security through obscurity. There are 
other websites on the web server and other users on the system.

My solution was using SUID wrappers giving my script an EUID of a system user having 
only one purpose: being the only member of the only group having read privilage to a 
file storing the database password. The disadvantage of this solution is the large 
number of system users and groups (few for every website/database) and corresponding 
database accounts (with the minimum set of privileges each).

I am quite new to Perl and particularly new to database programming, so I'd like to 
ask how all of you Perl gurus are solving that common problem of database password 
security. Is there any better solution than mine?

This problem is simple and common, but if there is any better place to ask this 
questions, I'd be grateful for pointing me there.

I have tried my best to find any related informations on the Web and Usenet archives, 
only to fail miserably. I will not believe that any sane person has passwords harcoded 
into the script itself on any production system, like it is suggested in every example 
of using DBI (which, as I assume, is done only for the sake of the examples 
simplicity).

For more datails of my original questions and reasoning see:

Date: Sat, 13 Sep 2003 05:09:58 -0500 (EST)
Message-Id: <[EMAIL PROTECTED]>
http://www.mail-archive.com/beginners%40perl.org/msg46845.html

Date: Sat, 13 Sep 2003 21:25:55 -0500 (EST)
Message-Id: <[EMAIL PROTECTED]>
http://www.mail-archive.com/beginners%40perl.org/msg46856.html

I was trying to be very clear this time, moving the most important informations to the 
top of my message, so everyone could know what I mean before getting lost in the 
details of my own reasoning. And now some details:

Joseph, I was asking about database password, not password database, but speaking 
about the latter, I would never use a self-made custom hashing algorithm you 
suggested, nor would I buy any third-party RSA encryption application for that 
matter.[1] Also, this is not true that the hashing algorithm is any more secure as a 
compiled object.[2]

Quint, I was not wondering whether to use RDBMS or flat files, but there are ways to 
make working with flat files equally convenient.[3] Of course I use HTTPS for client 
connections, so the users' passwords are safe in transit.[1] I use CPAN modules for 
everything I can and I make sure my own scripts themselves are written with security 
in mind.[4]

Quint, you say that the argument againts flat files is that they have to be writable 
by the httpd process EUID, but then you propose embedding the RDBMS password in the 
script or module instead (readable by the server process), which essentially makes the 
whole database world-writable (as anyone with read access to the script or module, 
like everyone exploiting any other CGI script on the system, can gain full access to 
the database), which is absolutely unacceptable for any multiuser system connected to 
the Internet.

Chuck, your solutions of storing the password in another database,[5] or moving the 
password outside the script[6] don't solve the problem, but only move it to someplace 
else, where it is still unsolved, not improving the security at all.

Zedgar.

Footnotes:

[1] About the security of users' passwords: See Digest::* modules on CPAN for hashing 
digests. I use Data::Password::BasicCheck, Data::Password and Crypt::Cracklib (in that 
order) with good dictionaries to make sure the user's new password itself is secure 
enough (to users having problems with hard-to-guess passwords I recommend Password 
Safe, either the original Bruce Schneier's Counterpane Labs version, or the new one 
available on SourceForge). The password is stored in the database as a SHA-512 digest 
of the password salted with other data, as well as a large random number also stored 
in the database (Crypt::Random).

[2] Having the hashing algorithm compiled to a native binary object improves 
performance, but not security (for an example see Digest::Perl::MD5 and Digest::MD5).

[3] See DBD::CSV and DBD::AnyData modules for DBI interface to flat files with simple 
SQL queries (processed by SQL::Statement). It's great for quick prototyping, but 
quickly gets slow for larger files. What I personally prefer for prototyping and for 
any situation when there's no acc

Re: Perl/DBI newbie: password storage / security question

[zedgar]

R. Joseph Newton wrote:
> [EMAIL PROTECTED] wrote:
> 
>>I'm basically concerned about the security of writing a simple web frontend to SQL 
>>database, the most important question being: how should I store the database 
>>password?
>>[...]
>>There are tens of websites on the server and every database access is done with an 
>>account having full (sic) access to all of the tables and - if that wasn't enough - 
>>the password is in the clear in the sourcecode which is all world readable! No 
>>wonder why the previous admin was fired.
> 
> Although only a slight improvement, it can help to shift the database out of the cgi 
> directory.  On the server I use, the web server runs as part of the group.  There 
> fore if a side directory has chmod 660, the server can access it, but the world can 
> not.  Unfortunately others considered to be part of the same group can also read it.


Thank you Joseph and Motherofperls for your tips, however I need something more than 
security through obscurity, as this database is going to store our customers personal 
information (real name and contact information) which is absolutely unacceptable to be 
stored in such an insecure manner (we cannot risk being sued or loosing our customers 
and of course I most definitely cannot knowingly introduce such a serious 
vulnerability being responsible for that website).

I cannot depand on attackers not finding the database password which is stored as 
cleartext in a world-readable file while its path is included in the script source (or 
even if it wasn't included anywhere, for that matter).

Even if it is group-readable for a group which the httpd process belongs to, it is 
actually not any more secure and only adds one simple step for attacker to access the 
file with a CGI script by exploiting any script from any website on the server or 
using any user account which can modify any one of those webites, so I'd say it is 
basically world-readable on a server where I am not the only one who has a website.

What I need is a secure way of doing it and I'd like to know how the experienced Perl 
developers solve this common problem. It'd be somehow hard to believe that people 
actually store sensitive data in production environments in such a way which allows 
full access using the most trivial web attacks and even without any need of attack at 
all for everyone with a website on this server, even without the shell access.

I hope someone who has developed any real production system could answer my question 
or even just tell me to RTFM while kindly pointing me to the right FM, because to my 
great surprise I couldn't find anything in perlfaq and any other Perl documentation or 
books I've read.

Thanks a lot.
-Zedgar Z.


-- 
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]