[BLUG] A Couple Questions

Mark Krenz blug_at_mailman.cs.indiana.edu
Wed, 31 Jan 2007 16:50:39 +0000 

  This is why I think the mysqlinfo file (or pgsqlinfo, etc) makes
sense.  Its simple, not tied to any specific language and works on
simple principles.  Its not specifically for web applications and it
provides a single place to put the password.

  On Suso, I've made it so that the webserver can read it and the user
that owns it can read it, but nobody else.  Plus, I use a different
password for everyone's database access anyways.    Things like PHP's
safe mode and Apache's suexec provide mechanisms to protect it from
other user's web applications reading other user's mysqlinfo files.


Mark

On Wed, Jan 31, 2007 at 04:24:52PM GMT, Gaddis, Jeremy L. [jlgaddis_at_ivytech.edu] said the following:
> My example was for PHP, specifically.  You *could* do something similar
> for shell scripts as well, but remember that the password always has to
> be *somewhere* that's readable by the user running the script.
> 
> Talk to your Active Directory admins, by the way.  It is (technically)
> possible for them to set up a separate account for you that only has
> permissions to join workstations to the domain (without any other
> "administrative" permissions) -- whether they would do so may be a
> matter of policy, however.
> 
> You can make it possible for users to run certain commands as root using
> sudo without requiring a password as well (see /etc/sudoers).
> 
> If they boot a LiveCD, nothing is safe.  Comforting, huh?  =)
> 
> 
> --
> Jeremy L. Gaddis
> Network Administrator
> 812.330.6156 (w)  812.391.0358 (m)
>  
> 
> -----Original Message-----
> From: blug-admin_at_cs.indiana.edu [mailto:blug-admin_at_cs.indiana.edu] On
> Behalf Of Simon Ruiz
> Sent: Wednesday, January 31, 2007 11:20 AM
> To: blug_at_cs.indiana.edu
> Subject: RE: [BLUG] A Couple Questions
> 
> Does this all apply to bash scripts in some way I'm missing?
>  
> I don't know up front what username and passwords might be used for
> theoretical scripts in the future. I know that the joining of a
> workstation to the Active Directory Domain requires an Administrative
> User's (my) login, but that's a ways in the future, and anyhow I don't
> want to put my personal login and password in plaintext anywhere
> permanently in the filesystem. I figured if I needed to run something
> that required that information, I'd rather scp it to the machine,
> execute it, and then promptly rm it.
>  
> Could this apply to local file used to invoke sudo privileges without
> intervention?
>  
> And, while we're at it. Is any of this secure if a student decides to
> boot to a Live CD and browse the filesystem????
>  
> Hope this finds you all doing well!
>  
> Simón
> 
> ________________________________
> 
> From: blug-admin_at_cs.indiana.edu on behalf of Gaddis, Jeremy L.
> Sent: Wed 1/31/2007 10:38 AM
> To: blug_at_cs.indiana.edu
> Subject: RE: [BLUG] A Couple Questions
> 
> 
> 
> I do something similar, but not quite to that extent.
> 
> Each web application has a file under /etc/webapps/ which is a simple
> PHP, e.g.:
> 
> <?
>         $dbhost         = "dbserver.example.com";
>         $dbuser         = "username";
>         $dbpass         = "password";
>         $dbname         = "database";
> ?>
> 
> And then I just put an "include /etc/webapps/file.php;" at the top of
> the scripts that need it.
> 
> Different road, same destination.  =)
> 
> --
> Jeremy L. Gaddis
> Network Administrator
> 812.330.6156 (w)  812.391.0358 (m)
> 
> 
> -----Original Message-----
> From: blug-admin_at_cs.indiana.edu [mailto:blug-admin_at_cs.indiana.edu] On
> Behalf Of Mark Krenz
> Sent: Wednesday, January 31, 2007 9:20 AM
> To: blug_at_cs.indiana.edu
> Subject: Re: [BLUG] A Couple Questions
> 
> 
>   You need to read this:
> 
> http://www.suso.org/docs/databases/saferdbpasswords.sdf
> 
>   I came up with this method years ago and it works well.  You don't
> even
> need to be a hosting provider to use it.  Keeping the password in a
> seperate file and protecting that file works well for a variety of
> reasons.
> 
>   I've thought about making an RFC for it at times, but somehow that
> seems scary.  Plus I need more professional feedback on the method.
> 
> Mark
> 
> 
> _______________________________________________
> BLUG mailing list
> BLUG_at_linuxfan.com
> http://mailman.cs.indiana.edu/mailman/listinfo/blug
> 
> _______________________________________________
> BLUG mailing list
> BLUG_at_linuxfan.com
> http://mailman.cs.indiana.edu/mailman/listinfo/blug
> 

-- 
Mark Krenz
Bloomington Linux Users Group
http://www.bloomingtonlinux.org/