-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tuesday 22 October 2002 21:41, Hardy Merrill wrote: > Assuming you create a Perl module outside of the webserver's > document root, the tricky thing is that for cgi scripts, the > user that the web server is running as needs at least "read" > access to that file that contains the DB passwords.
This solution works as long as all of the programmers are "trusted" users and only non-programmers are "untrusted." Creating a script which prints out the DB password would be quite easy. But if the programmers are not a concern, then there is no problem with the filesystem rights management. Another solution (as Henri Asseily pointed out) would be asking the password each time the Apache configuration changes, someone unplugs the power, frustrated cracker forkbombs the system... Not a bad solution on a stable environment, though. SSL uses the same method. The simplest method of all would be to eliminate unauthorized access using the database management systems authorization schemas. For example, you could allow access to the database for only selected Unix users. This is done using the access control methods offered by the DBMS. If no-one can su(1) to www-data (or some other user Apache runs as), only root, www-data and other selected users can connect to the database. No passwords needed. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE9taH3nksV4Ys/z5gRAvk4AJ9CrmnZpsBIw4A1RadD16WhnKQ7AgCgqIMF 7Y/JQrOfc6XYq3Hry3T32A8= =mwmA -----END PGP SIGNATURE-----
