Re: [PHP] How can I secure database passwords used by PHP webpages

2005-03-02 Thread Richard Lynch 
Rob Tanner wrote:
> We're a four year college.  Some maintainers are faculty, some are
> staff and some are work-study (students) and centrally we have little
> say over who can and can't.

You can put super crucial username/passwords into httpd.conf or
root-readable files that get included into httpd.conf

Other than that, the basic rule to remember is:
If PHP can read the password, so can anybody with a login.

If that's not acceptable for that password, you have very few options:

Move it to httpd.conf
Get rid of that user

Maybe you need to re-structure your server and its access levels to
reflect reality.

You probably trust faculty/staff more than students in terms of
intentional abuse.

Though naivete and ignorance might go the other way 'round. :-)

You *could* run two pools of Apache servers, with two different configs,
and two different PHP users, and give different User/Group settings in the
two different httpd.conf files to separate your faculty/staff from your
students.

Though it might be cheaper to just buy a stock Linux box and move all the
students to that box -- where you simply accept the fact that students are
going to mess it up more than the faculty/staff box.

At any rate, the problem is simply not solvable by PHP, and, when you get
right down to it, not even in the PHP realm.

Whatever trust level you have or don't have, the database passwords being
readable by untrusted users who have logins is lower on the problem stack
than a zillion other nasty things they can do if they have a login and you
don't trust them.

Fixing the passwords may well have looked like the easiest one to tackle,
but it's not that easy at all, and you won't improve your general security
health level even if it *was* something easy to fix, as the perpetrators
would simply turn aside from db access and do more... interesting...
things with their logins.

PS Finding a perpetrator and penalizing them harshly and publicly may wake
up some students to the risks of what they are doing.  Or not...  Worth
considering.

-- 
Like Music?
http://l-i-e.com/artists.htm

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] How can I secure database passwords used by PHP webpages

2005-03-02 Thread Chris W. Parker 
Dan Tappin 
on Wednesday, March 02, 2005 7:32 AM said:

> The best way is to not store the password at all.
> 
> Store a hash of the password like this:
> 
> INSERT INTO users SET pass = MD5('password');
> 
> Now not knowing how you authenticate those passwords this might not
> work.
> 
> If it's an internal web page via PHP all you do is MD5 the users
> supplied password and compare to you DB.

But that doesn't help in this situation because the OP is not referring
to passwords for users of the website but rather the password(s) for
MySQL so that the application can access the db.



Chris.

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] How can I secure database passwords used by PHP webpages

2005-03-02 Thread Dan Tappin 
The best way is to not store the password at all.
Store a hash of the password like this:
INSERT INTO users SET pass = MD5('password');
Now not knowing how you authenticate those passwords this might not 
work.

If it's an internal web page via PHP all you do is MD5 the users 
supplied password and compare to you DB.

Dan Tappin (The other Dan T)
On Mar 1, 2005, at 5:09 PM, Rob Tanner wrote:
WE have a number of PHP webpages that access one of several MySql 
databases
and while the PHP files that contain the passwords cannot be accessed 
via the
web, we are becoming increasingly concerned over the possibility of 
other
webpage maintainers viewing those files.  How have other folks 
protected
database passwords needed by PHP apps?

Thanks.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] How can I secure database passwords used by PHP webpages

2005-03-01 Thread Rob Tanner 
John,

We're a four year college.  Some maintainers are faculty, some are
staff and some are work-study (students) and centrally we have little
say over who can and can't.  We use webdav but people inevitably share
passwords (policies against doing such not withstanding) and that's a
problem we can do little about until after the fact.  Back in the days
of cgi when executables were only allowed in cgi-bin which was
exclusively under the control of the webmaster, passwords could be put
into root-only readable files and read up by apache into it's
environment, but that kind of control is unacceptable today in a
liberal arts college environment.  So the question is, how do we
protect ourselves from folks who misbehave (after all, I do lock my
front door even though in theory I trust my neighbors).

-- Rob

--On Tuesday, March 01, 2005 07:57:31 PM -0500 John Holmes
<[EMAIL PROTECTED]> wrote:

> Rob Tanner wrote:
>> WE have a number of PHP webpages that access one of several MySql
>> databases and while the PHP files that contain the passwords cannot
>> be accessed via the web, we are becoming increasingly concerned over
>> the possibility of other webpage maintainers viewing those files.
>> How have other folks protected database passwords needed by PHP apps?
> 
> Who are these "other webpage maintainers" and why do they have access
> to your PHP source code? This isn't a PHP issue. The MySQL password
> has to be in a file as plain text; there's no getting around that (as
> recently discussed on here). Your issue is controlling access to the
> machine and the files, so is an OS/policy/trust issue, imo.



-- 
Rob Tanner
UNIX Services Manager
Linfield College, McMinnville OR

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] How can I secure database passwords used by PHP webpages

2005-03-01 Thread John Holmes 
Rob Tanner wrote:
WE have a number of PHP webpages that access one of several MySql databases
and while the PHP files that contain the passwords cannot be accessed via the
web, we are becoming increasingly concerned over the possibility of other
webpage maintainers viewing those files.  How have other folks protected
database passwords needed by PHP apps?
Who are these "other webpage maintainers" and why do they have access to 
your PHP source code? This isn't a PHP issue. The MySQL password has to 
be in a file as plain text; there's no getting around that (as recently 
discussed on here). Your issue is controlling access to the machine and 
the files, so is an OS/policy/trust issue, imo.

--
---John Holmes...
Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/
php|architect: The Magazine for PHP Professionals – www.phparch.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php