well this makes sense of course narrowing it down only giving
accounts access to what they need but we have scripts that run at 3am from
the cron demon, so i can't be there to type in passwords. obviously the
most secure (aside from locking a computer in a room with no network
connection and no removable drives) is to have the password in someone's
head. But i can't do that so i am looking for the next best way to 1)
prevent someone from reading a perl script and accessing our database (of
cours emodifyign it is worse than reading it, but if it is sensitive
information reading it is still unacceptable) and 2) making it easier to
modify thses scripts when we do change a password (ie having them all read
it or use code in a central location, that we carefully monitor and limit
access to).
-dave
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, December 11, 2001 3:26 PM
To: Dave Feinberg
Cc: [EMAIL PROTECTED]
Subject: Re: security and dbi
Being a newbie I am not sure what I am doing is the best way BUT it works
for us. I create accounts with ONLY the access the accound needs. I have
no 'system wide' accounts. If the username/password is used for reporting
(as most of mine are) they get only the ability to read data not modify it.
If the user (script) needs to modify it, I have the user enter a password.
I use this as an audit trail.
My $0.02.
Vince
Dave Feinberg
<DFeinberg@ClubMo To: [EMAIL PROTECTED]
m-inc.com> cc:
Subject: security and dbi
12/11/01 02:26 PM
I have a security related question. How does one deal with
database
security such as connect usernames and passwords in plain text perl
scripts?
Obviously encoding them directly into the scripts is not optimal. This
also
makes it difficult to alter all these scripts if you need to change a
password. Considerations are to use perl bytecode, and then the passwords
are harder to get. Or possibly to store them encrypted and then read them
in, but of course then they can always be decrypted if some can access the
computer. Really i think ultimately the answer is you are relying on the
security of the physical machine. But atleast having them in one place
makes it easier if you change them. Just curious about what your thoughts
might be, what is the most effective solution you have found for the amoutn
of work it takes.
-Dave
