Password Security

ADN

Hi,

I have an account on a Debian server which runs php and Postgres. This server has other users on it who could log into their accounts and browse the contents of my public_html directory.

I would like it if there was some way of having the postgres username and password was stored in an .inc file in there so the scripts can access it. But I don't want people to be able to see it if they go in there.

Has anyone else come up against this? What could I do?

Thanks.

el_kab0ng

Have you chown'd and chmod'd the file to allow access by the webserver and no one else?

mmilano

the problem with chmod would be that the file must have "all -read" access in order to use it on the website... and the directory where the file is at must have "all - execute" on it.

maybe name your file with a "." in front of it so at least some people won't see it if they aren't looking. ( not a great solution though )

one bit of advise.. don't use ".inc" files!!! that is unless you make apache send it through html.

i used to use .inc files which contained db passwords until i pulled one up in a browser. by default, the .inc extension is not addressed by apache and will display as plain text.

el_kab0ng

i used to use .inc files which contained db passwords until i pulled one up in a browser. by default, the .inc extension is not addressed by apache and will display as plain text.

That's why .inc files should go into a .htaccessed folder on the server. =]

The only other option I know of is to speak to your administrator, or seek professional web hosting somewhere else.

Most webservers are configured in such a way that the user is chrooted into their home, keeping them out of everyone else's business. Is this a ~web or a sub level domain we're talking about?

KoshNaranek

i use .inc-files, too.

sometimes they are very usefull 🙂

Just add this line to the .htaccess-File

RedirectMatch permanent (.*).inc$ index.php

(where index.php is your redirectpage ... e.g. "index.html")

index.html simply contains: <h1>LISTING DENIED!!!</h1>

Try this: name them for example config.inc.php
Apache should think it's a php-file... since there are no "echo"s in this file... nothing will be displayed - haven't tried this one...
😃

jayant

They can acces your public_html, but can they access any folder outside it, i will suggest create a folder outside public_html and have your file with extension .php (just incase you decide to move them in webdirectory).

For username and password, encrypt them and store in that file, whenever you need to access the database, decrypt the password form within the script.

This won't make it absolutely safe but a lot safer especially from f00lz. Consult your host for more about this, they should be knowing better.

ADN

(been away for a bit)

Thanks for your suggestions, it's given me things to think about.

At the moment the web processes (and php) run as 'www-data'.

Can I set up php files that belong to 'www-data' that can be run by 'www-data' but not read by anyone else?

I'm sure it's a chown thing but I'm not sure anymore.

Then what would be nice is to have a script that was only readable by 'www-data' that users would include that supplied a username and password depending on where the script was running say by looking at

$_SERVER["REQUEST_URI"]

might give ->

/~me/myscript.php

and so dish out the username and password for "me"

I get an error when I try to change the contents of this variable by directly assigning it to some other string directly so people couldn't change it to fool the script into thinking the script was someone elses...