Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Hiding Database password in a CGI script.

0 views
Skip to first unread message

David Berrebi

unread,
Sep 14, 1999, 3:00:00 AM9/14/99
to
I have a perl script which connects to a database using DBI:DBD.
The script is currently executed as user nobody and has r+x access for
the world.
In the script I defined 2 variables the dblogin and dbpassword.

My problem is if somebody connects to the unix box where the script is,
he can read the
file and find out the login and password to connect to the database.

How can I hide that information?

--
*****************************************
David Berrebi
*****************************************


Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.

Kragen Sitaker

unread,
Sep 14, 1999, 3:00:00 AM9/14/99
to
In article <7rlog9$lq5$1...@nnrp1.deja.com>,

David Berrebi <ber...@email.com> wrote:
>My problem is if somebody connects to the unix box where the script is,
>he can read the
>file and find out the login and password to connect to the database.

Don't make the script readable and executable by everybody. Instead,
make it owned by you and readable and executable only by you.

Kragen
--
<kra...@pobox.com> Kragen Sitaker <http://www.pobox.com/~kragen/>
Tue Sep 14 1999
55 days until the Internet stock bubble bursts on Monday, 1999-11-08.
<URL:http://www.pobox.com/~kragen/bubble.html>

Jamie McCarthy

unread,
Sep 14, 1999, 3:00:00 AM9/14/99
to
David Berrebi wrote:

> I have a perl script which connects to a database using DBI:DBD.
> The script is currently executed as user nobody and has r+x access for
> the world.
> In the script I defined 2 variables the dblogin and dbpassword.
>

> My problem is if somebody connects to the unix box where the script is,
> he can read the
> file and find out the login and password to connect to the database.
>

> How can I hide that information?

You can't. If the computer can figure out from your script what
the password is, so can a sufficiently intelligent human. Your
only recourse is to make sure the human can't read the script.

I would suggest you look into creating a user specific to your
database, instead of "nobody," who owns and runs the script.
(And turning off r+x for the world, obviously.) For example,
when I set up Apache, I configure it to run as the special user
"apnobody" which has no permissions outside the web tree and
which nothing else on the machine runs as. But this is a unix
security question, not a perl question.

Of course, feel free to try disguising the password within your
perl script as best as possible, so the casual reader won't
figure it out by grepping on "password". But if your secret is
important, you'll have to do more.

--
Jamie McCarthy

0 new messages