Re: [PHP] protect password?
On Fri, November 4, 2005 2:36 pm, Bing Du wrote: Some functions need you to provide username and password, for instance odbc_connect. Even though the username/password just has minimum access privileges to the resource, putting it there in clear text in a script gives me heartburn. How do people handle username/password in such kind of cases? I'm sure there must be some way to store critical information in some encrypted format but it's still readable to scripts for authentication purpose. But don't know how. Any ideas or pointer would be greatly appreciated. This is an age-old question. First, let's address your current thinking: store critical information in some encrypted format Consider this: Your PHP script has to decrypt that before it can use it. If they can read the source to get the username/password (encrypted or plaintext version) they can probably read the PHP source that decrypts it. Therefore, the encryption will be a very very very minor barrier. Okay as a tiny part of a Defense in Depth, but not much of magic bullet. The ideal solution, really, would a root-only readable file, that Apache would read before it de-roots itself, storing it in some kind of protected memory space, not writable to disk, that could be read by ONLY your PHP scripts, and not anybody else co-hosted on the same shared server. At that point, a hacker has to be rummaging through your actual RAM to get your password. If they can do that well enough to find your password, you probably can consider yourself as having lost the game already. :-) AFAIK, no such Apache Module exists. :-( There are a lot of fairly easy things you can do, even on a share server: Moving the file with the username/password outside the web tree, into a directory only you can read, with a sub-directory/file PHP/Apache can read, so that it's harder for others to stumble across it is a start. You have to dink with php.ini (or .htaccess, most likely) include_path, but that's not that hard. If you control httpd.conf on a dedicated server, you can consider putting the username/password into Environment variables within only the VirtualHost that needs them (I think that works). More about that here http://phpsec.org/ I think. httpd.conf can be root-only readable because Apache starts as root (and then de-roots itself) after reading httpd.conf That does make it hard for others to figure out other settings in httpd.conf that affect their work, so you may want to use Apache include directives (or whatever they are) if possible. By the time you've done all that, encrypting the username/password and then having the decryption code in plain view in your PHP script is probably not all that useful, really... As you may have noticed, the answer differs greatly depending on your server setup: shared or dedicated and your general IT beauracracy (or lack thereof) for changing httpd.conf and/or server settings. You should probably Google and read a whole lot to see the full gamut of other ideas. Be warned: Some of the published ideas are, u, not-so-good. Check the sources and their credentials and think for yourself. Start at http://phpsec.org to get grounded. Check at http://php.net/ and http://zend.com for official content, and then take the User Contributed notes with a grain of salt. Then Google and use the whole salt shaker. :-) -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] protect password?
Ooooh! We both forgot to warn you: Be VERY careful with ?php phpinfo();? and var_dump($_SERVER) and similar coding practices. You're dumping out your username/password in plaintext at that point with this technique! TANSTAAFL! On Fri, November 4, 2005 5:16 pm, Pablo Gosse wrote: [snip] Some functions need you to provide username and password, for instance odbc_connect. Even though the username/password just has minimum access privileges to the resource, putting it there in clear text in a script gives me heartburn. How do people handle username/password in such kind of cases? I'm sure there must be some way to store critical information in some encrypted format but it's still readable to scripts for authentication purpose. But don't know how. Any ideas or pointer would be greatly appreciated. [/snip] Some time ago Chris Shifflet provided a nice suggestion on how to make your passwords more secure. It's still not rock solid, but far better than storing them in clear text. The methodology I present below (which Chris presented originally) assumes Apache as your web server. Though I've recently gotten into IIS administration I'm not sure of how you would specifically do this under IIS. Create a file outside of your webroot, and in it use SetEnv declarations to set a username and password as environment vars. SetEnv dbname username SetEnv dbpass password Chown this file such that it is only readable by root, and then (assuming you're on a shared host) have it included in your virtual host block of the server config file. If you're on a dedicated box include it in the configuration section for the site in question. Then when the server is restarted you will be able to access the username and password via $_SERVER['dbuser'] and $_SERVER['dbpass'] in your scripts. As the first response to your post, not exactly what you were looking for, but much more secure than plain text or even simple include files. HTH. Cheers, Pablo -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] protect password?
On Fri, November 4, 2005 5:36 pm, bruce wrote:
pablo...
i fail to see how your suggestion is much more secure than placing the
user/passwd information in a file that's outside the web access space,
and
then including the file.
in either case, the user wouldn't be able to read the include file.
Sure they would!
?php echo file_get_contents('/full/path/to/your/db_connect.inc');?
If you manage to plug that hole, and you allow SymLinks in your
httpd.conf, and just for fun, you have .phps to show source in pretty
print, both of which can be quite USEFUL for many legitimate uses,
then:
cd ~/document_root
ln -s /full/path/to/your/db_connect.inc exposed.phps
http://example.com/~username/exposed.phps
I used to do that with one host (only in a password-protected web
directory) because it was easier than digging out the 32-character md5
hash password out of my Inbox for the internal database of cool
features I wasn't really supposed to have to worry about because they
were pre-built. It was an easier way to look up my own password than
the official correct way to do it. [shrug]
Look, if *YOUR* PHP script can read the file, and we're on a shared
server, then *MY* PHP script can read the file, unless the webhost has
gone above and beyond and set up separate httpd pools and usernames
and chroot'ed environments for everybody and all that... Which is
really hard to find at $20/month.
Hell, it's really hard to even find a webhost who knows enough about
security to even publish that they DO all that, much less for them to
find enough clients who know enough to know they WANT all that. Of
course, the thousands of webhosts who don't do that hardly want to
publish Our Security sucks, but what do you want for $20?
You have to weigh risk against benefits, though for some dinky little
site, and the probability that your co-hosted folks will be
malicious...
Odds are really not that bad, with shared hosts, compared to exposing
your username/password to the whole world in plain-text on the entire
'net.
Particularly if your webhost is vigilant with new clients and if they
have standards or a certain niche they can focus on, so they aren't
trying to be all things to all clients. I suspect this is a bigger
problem at larger hosts, particularly if their clients are tech-savvy
PHP geeks rather than, say, starving musicians.
--
Like Music?
http://l-i-e.com/artists.htm
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] protect password?
On Fri, November 4, 2005 5:44 pm, Pablo Gosse wrote: By setting the file readable only by root this problem is completely eliminated. Unless a hacker has the root password, they will not be able to compromise the information in this file. This is how I understand it, at least. If Chris reads this perhaps he can confirm this for me? If only 'root' can read the file, and PHP can read the file (IE, your script still works) then you have HUGE problems, because your PHP script, and all of Apache, is running as 'root'... That's *WAY* too much power to be put into your hands, much less your potentially malicious co-hosted users. It's *possible* your host has set you up with a chroot-ed environment, in which you are 'root' for some sort of virtual machine... Even then, I don't think they'd make all the PHP files root readable only... It's more likely that the permissions on the file make it possible for the PHP user to read them, but not you to read them in the shell. You could probably write a PHP script to read all the other files and their passwords, even though you can't read them when you are logged in as pablo or whatever. If not, then maybe they HAVE set you up with a fully chroot-ed environment -- which I've never seen, as far as I know, so I can't be sure what it looks like, though I can imagine. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] protect password?
Richard Lynch wrote: By setting the file readable only by root this problem is completely eliminated. Unless a hacker has the root password, they will not be able to compromise the information in this file. This is how I understand it, at least. If Chris reads this perhaps he can confirm this for me? If only 'root' can read the file, and PHP can read the file (IE, your script still works) then you have HUGE problems, because your PHP script, and all of Apache, is running as 'root'... I think he's referring to the technique described at the end of this article on shared hosting security: http://shiflett.org/articles/security-corner-mar2004 (Sorry, but I somehow missed the original conversation, so I might be wrong. Apologies in advance if that's the case.) Apache does actually run as root (that's why it can bind to port 80), but incoming requests are handled by child processes running as nobody. This technique leverages the fact that the parent process can read the file but child processes (potentially running code from other users) cannot. The sensitive data exists only in the file and in the memory of child processes executing your scripts. This lets you access the data from your PHP scripts (it's in $_SERVER) and puts you more in control of the exposure of it. Hope that helps. Chris -- Chris Shiflett Brain Bulb, The PHP Consultancy http://brainbulb.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] protect password?
Richard Lynch wrote: On Fri, November 4, 2005 5:44 pm, Pablo Gosse wrote: By setting the file readable only by root this problem is completely eliminated. Unless a hacker has the root password, they will not be able to compromise the information in this file. This is how I understand it, at least. If Chris reads this perhaps he can confirm this for me? If only 'root' can read the file, and PHP can read the file (IE, your script still works) then you have HUGE problems, because your PHP script, and all of Apache, is running as 'root'... I think you've missed the trick of the method. The file is included into the Apache config, not into php. So Apache reads the file before it lowers itself to the http user. This means that PHP can't read the file, but it can still get the information via Apache. Further, the file doesn't have to be readable only by root, just not readable by the http user. So owning the file personally and putting -rw--- permissions on it should be sufficient, and achievable on a shared host. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] protect password?
On Tue, November 8, 2005 10:03 pm, David Tulloh wrote: Richard Lynch wrote: On Fri, November 4, 2005 5:44 pm, Pablo Gosse wrote: By setting the file readable only by root this problem is completely eliminated. Unless a hacker has the root password, they will not be able to compromise the information in this file. This is how I understand it, at least. If Chris reads this perhaps he can confirm this for me? If only 'root' can read the file, and PHP can read the file (IE, your script still works) then you have HUGE problems, because your PHP script, and all of Apache, is running as 'root'... I think you've missed the trick of the method. The file is included into the Apache config, not into php. So Apache reads the file before it lowers itself to the http user. This means that PHP can't read the file, but it can still get the information via Apache. Further, the file doesn't have to be readable only by root, just not readable by the http user. So owning the file personally and putting -rw--- permissions on it should be sufficient, and achievable on a shared host. The OP was talking about a file included into PHP... At least, I *think* he was... -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] protect password?
Hello, Some functions need you to provide username and password, for instance odbc_connect. Even though the username/password just has minimum access privileges to the resource, putting it there in clear text in a script gives me heartburn. How do people handle username/password in such kind of cases? I'm sure there must be some way to store critical information in some encrypted format but it's still readable to scripts for authentication purpose. But don't know how. Any ideas or pointer would be greatly appreciated. Bing -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] protect password?
[snip] Some functions need you to provide username and password, for instance odbc_connect. Even though the username/password just has minimum access privileges to the resource, putting it there in clear text in a script gives me heartburn. How do people handle username/password in such kind of cases? I'm sure there must be some way to store critical information in some encrypted format but it's still readable to scripts for authentication purpose. But don't know how. Any ideas or pointer would be greatly appreciated. [/snip] Some time ago Chris Shifflet provided a nice suggestion on how to make your passwords more secure. It's still not rock solid, but far better than storing them in clear text. The methodology I present below (which Chris presented originally) assumes Apache as your web server. Though I've recently gotten into IIS administration I'm not sure of how you would specifically do this under IIS. Create a file outside of your webroot, and in it use SetEnv declarations to set a username and password as environment vars. SetEnv dbname username SetEnv dbpass password Chown this file such that it is only readable by root, and then (assuming you're on a shared host) have it included in your virtual host block of the server config file. If you're on a dedicated box include it in the configuration section for the site in question. Then when the server is restarted you will be able to access the username and password via $_SERVER['dbuser'] and $_SERVER['dbpass'] in your scripts. As the first response to your post, not exactly what you were looking for, but much more secure than plain text or even simple include files. HTH. Cheers, Pablo -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] protect password?
pablo... i fail to see how your suggestion is much more secure than placing the user/passwd information in a file that's outside the web access space, and then including the file. in either case, the user wouldn't be able to read the include file. -bruce -Original Message- From: Pablo Gosse [mailto:[EMAIL PROTECTED] Sent: Friday, November 04, 2005 3:16 PM To: php-general@lists.php.net Subject: RE: [PHP] protect password? [snip] Some functions need you to provide username and password, for instance odbc_connect. Even though the username/password just has minimum access privileges to the resource, putting it there in clear text in a script gives me heartburn. How do people handle username/password in such kind of cases? I'm sure there must be some way to store critical information in some encrypted format but it's still readable to scripts for authentication purpose. But don't know how. Any ideas or pointer would be greatly appreciated. [/snip] Some time ago Chris Shifflet provided a nice suggestion on how to make your passwords more secure. It's still not rock solid, but far better than storing them in clear text. The methodology I present below (which Chris presented originally) assumes Apache as your web server. Though I've recently gotten into IIS administration I'm not sure of how you would specifically do this under IIS. Create a file outside of your webroot, and in it use SetEnv declarations to set a username and password as environment vars. SetEnv dbname username SetEnv dbpass password Chown this file such that it is only readable by root, and then (assuming you're on a shared host) have it included in your virtual host block of the server config file. If you're on a dedicated box include it in the configuration section for the site in question. Then when the server is restarted you will be able to access the username and password via $_SERVER['dbuser'] and $_SERVER['dbpass'] in your scripts. As the first response to your post, not exactly what you were looking for, but much more secure than plain text or even simple include files. HTH. Cheers, Pablo -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] protect password?
[snip] pablo... i fail to see how your suggestion is much more secure than placing the user/passwd information in a file that's outside the web access space, and then including the file. in either case, the user wouldn't be able to read the include file. [/snip] Greeting, Bruce. On a dedicated server there wouldn't be much difference. However if the site in question were on a shared host (which is usually the case) there would be a huge difference. On shared hosts since files to be included need to be readable by the user the server runs as their permissions must be set to: -rw-r--r-- And since every one else who has a site on the same server must also have files to be included set to be readable by the server user, one could easily write a trolling script to traverse the directories of other users on the site and grab whatever info they needed. The shared host I use for my personal site used to have this problem until I made them aware of it. In less than two minutes I was able to find several database usernames and passwords. They've since made changes to eliminate this problem. All that needs to be done is secure up the directory permissions and the problem goes away. By setting the file readable only by root this problem is completely eliminated. Unless a hacker has the root password, they will not be able to compromise the information in this file. This is how I understand it, at least. If Chris reads this perhaps he can confirm this for me? Cheers, Pablo -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] protect password?
here again the solution could be managed by the host/sys admin setting the appropriate privs for the files. in either case the sys admin should be protecting your files from view by other users!!! although i can see why one would go with the route where you deal with the env vars... my priamry point was to stress the file aspect is essentially the same, all things being equal. -Original Message- From: Pablo Gosse [mailto:[EMAIL PROTECTED] Sent: Friday, November 04, 2005 3:45 PM To: [EMAIL PROTECTED]; php-general@lists.php.net Subject: RE: [PHP] protect password? [snip] pablo... i fail to see how your suggestion is much more secure than placing the user/passwd information in a file that's outside the web access space, and then including the file. in either case, the user wouldn't be able to read the include file. [/snip] Greeting, Bruce. On a dedicated server there wouldn't be much difference. However if the site in question were on a shared host (which is usually the case) there would be a huge difference. On shared hosts since files to be included need to be readable by the user the server runs as their permissions must be set to: -rw-r--r-- And since every one else who has a site on the same server must also have files to be included set to be readable by the server user, one could easily write a trolling script to traverse the directories of other users on the site and grab whatever info they needed. The shared host I use for my personal site used to have this problem until I made them aware of it. In less than two minutes I was able to find several database usernames and passwords. They've since made changes to eliminate this problem. All that needs to be done is secure up the directory permissions and the problem goes away. By setting the file readable only by root this problem is completely eliminated. Unless a hacker has the root password, they will not be able to compromise the information in this file. This is how I understand it, at least. If Chris reads this perhaps he can confirm this for me? Cheers, Pablo -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
