> I've got a script which reads a config file to get a database username and > password, among other things. What should the permissions be so that the > cgi script running on the web server can read the file, but > random users on > the system can't? Is this the best way for the script to get > sensitive info > like that?
I'd suggest that you store the password encrypted using crypt, and then when the user enters the password, encrypt it and then compare the two. That way you don't have any cleartext passwords lying around. If this is to store some generic every-user password to log onto the database, then I'd suggest you use a true authentication mechanism like Apache authentication between the user and the config file (like htaccess). You could also store the password outside of the document_root, and have the script read it there. That way the webserver shouldn't be able to retrieve it using GET. > This is on pair.com, where the script runs as user nobody and group www. > > _______________________________________________ > Boston-pm mailing list > [EMAIL PROTECTED] > http://mail.pm.org/mailman/listinfo/boston-pm > _______________________________________________ Boston-pm mailing list [EMAIL PROTECTED] http://mail.pm.org/mailman/listinfo/boston-pm
