On Fri, 15 Nov 2002, [iso-8859-1] "Faßhauer, Wolfgang, FCI3" wrote:
> > Have you thought of running your webserver as some 'www' user? You can
> > then make your scripts readonly by a 'dev' group which the www user and
> > the developes are members of.
> >CORRECT:
> >'readonly' should be 'only readable' by
>
> Yes, that's our plan, too. But the risk still remains that someone will get
> a look to the script. I think, there is a golden rule: Never put clear text
> passwords in files. Those files are stored in archives by backup for
> example. There maybe a lot of people (sysadmin, developer, ...) concerned
> with the webserver. So it's not easy to secure it.
A thought, although I've never been so secure myself and I'm not sure how
secure this would be - but it's one of those silly convoluted ideas you
have to tell someone. Since you're using mod_perl and apache_dbi, this is
just a thought. Use the Crypt::Blowfish_PP to generate an encrypted
password and place it as a variable in a package somewhere. During server
startup take a password from the command line, some sort of:
<Perl>
Paranoid::CryptDBIPassword::promptForPassword
</Perl>
getliner.
Take the value as my $key and:
my $bfish = Crypt::Blowfish_PP->new($key)
$Apache::PARANOID::dbiPassword
= $bfish->decrypt($encryptedPassword);
then whenever you want your password you access
$Apache::PARANOID::dbiPassword.
Hmm. I think that the guy who wrote Blowfish_PP would cut my danglies off
for that one.
R.
