I'm more concerned about other pair users being able to access the file. Currently, the file is stored above the document root, but it has to be readable by the cgi script, hence the user nobody in group www.
> -----Original Message----- > From: Wizard [mailto:[EMAIL PROTECTED] > Sent: Sunday, March 02, 2003 9:19 AM > To: Joel Gwynn; Boston-Pm > Subject: RE: [Boston.pm] cgi file permissions > > > > I've got a script which reads a config file to get a database > username and > > password, among other things. What should the permissions be > so that the > > cgi script running on the web server can read the file, but > > random users on > > the system can't? Is this the best way for the script to get > > sensitive info > > like that? > > I'd suggest that you store the password encrypted using crypt, > and then when > the user enters the password, encrypt it and then compare the > two. That way > you don't have any cleartext passwords lying around. > > If this is to store some generic every-user password to log onto the > database, then I'd suggest you use a true authentication mechanism like > Apache authentication between the user and the config file (like > htaccess). > You could also store the password outside of the document_root, > and have the > script read it there. That way the webserver shouldn't be able to retrieve > it using GET. > > > > This is on pair.com, where the script runs as user nobody and group www. > > > > _______________________________________________ > > Boston-pm mailing list > > [EMAIL PROTECTED] > > http://mail.pm.org/mailman/listinfo/boston-pm > > _______________________________________________ Boston-pm mailing list [EMAIL PROTECTED] http://mail.pm.org/mailman/listinfo/boston-pm
