Yes I know that Apache can be set to run using your own account, but most
hosts don't do that because I heard that this can create other security
problems.

Teddy,
Teddy's Center: http://teddy.fcc.ro/
Email: [EMAIL PROTECTED]

----- Original Message -----
From: "William R. Mussatto" <[EMAIL PROTECTED]>
To: "Octavian Rasnita" <[EMAIL PROTECTED]>
Cc: "Larry Brown" <[EMAIL PROTECTED]>; "MySQL List"
<[EMAIL PROTECTED]>
Sent: Monday, January 06, 2003 8:07 PM
Subject: Re: Hiding the password


On Mon, 6 Jan 2003, Octavian Rasnita wrote:

> Date: Mon, 6 Jan 2003 08:33:48 +0200
> From: Octavian Rasnita <[EMAIL PROTECTED]>
> To: Larry Brown <[EMAIL PROTECTED]>,
>     MySQL List <[EMAIL PROTECTED]>
> Subject: Re: Hiding the password
>
> No, we are not talking about the staff of the hosting company.
>
> The hosting company runs a single Apache server on a single account on
that
> server for all sites that are sitting on that computer.
> If the user that runs the web server has access to your files, this means
> that everyone has access.
>
Its possible to configure a single virtual host to run as a different
user and group.  It still won't protect you from people at the hosting
company, but other hosting clients should be isolated.

>
> Teddy,
> Teddy's Center: http://teddy.fcc.ro/
> Email: [EMAIL PROTECTED]
>
> ----- Original Message -----
> From: "Larry Brown" <[EMAIL PROTECTED]>
> To: "MySQL List" <[EMAIL PROTECTED]>
> Sent: Saturday, January 04, 2003 9:50 PM
> Subject: RE: Hiding the password
>
>
> First, why are we conceding that "everyone can find out your id and
> password"?  Your hosting company has your site separated from other
> customers' sites right?  So we are just talking about the development team
> for your site being privy to this information.
>
> Second, if you are referring to the staff of the hosting company, you
can't
> avoid their ability to access data via your login scripts period.  As far
as
> I know they can view all of your communication with the MySQL database and
> can get that information.  If you want tight security hosting it yourself
is
> a must in my view.
>
> Larry S. Brown
> Dimension Networks, Inc.
> (727) 723-8388
>
> -----Original Message-----
> From: wcb [mailto:[EMAIL PROTECTED]]
> Sent: Saturday, January 04, 2003 1:51 PM
> To: Mark; MySQL
> Subject: Re: Hiding the password
>
> It isn't at all difficult to grasp.  Please carefully (and exercising a
> certain amount of patience) read my post and the previous post upon which
my
> post was based.  We are acknowledging that EVERYONE can find out your id
and
> password.  The question reformulated is:
>
> "Given that one's MySql environment may not be accessible in terms of
privs
> (which is the case for a lot of people, who are paying for hosting by a
> third party) and given that we CAN'T hide the id/password combination, is
> the standard arrangement that hosts use (which is to ensure that only
> localhost can access the database) adequate to prevent people from doing
> unwanted things in your database?  NOTE that I'm assuming that one has a
> script on localhost, and all users are from another domain, and also
> assuming that the script is properly set up to constrain the activities of
> users, does it even matter that people can determine the id/password
> combination??"
>
> Thanks for patient responses.
>
> Cheers!
>
> -warren
>
>
>
> >
> > > Perhaps gurus can comment on what I'm suggesting here - if the
database
> is
> > > set up so that only "localhost" can access it, then you can use a php
or
> > > PERL script to allow people from elsewhere to cruise in and make
queries
> > > as your script allows.
> >
> > Why is this so difficult to grasp? As I, and many others, have pointed
> out,
> > repeatedly, it does not matter how many layers you wrap around your
> > password-retrieval code, as soon as you make the end-result
> > accessible/readable by your web-CGI, you have done just that: made the
> > user/password accessible by your web-daemon -- hence, made it accessible
> to
> > everyone with access to your web-server.
> >
> > And no, adding some sort of access-control within your CGI is equally
> > useless: as a user being hosted on your web-server I would not bother to
> run
> > your CGI, but simply copy it for ocular inspection. :)
> >
> > > Certainly I'd appreciate comments on this by people in the know,
because
> > > it is an issue that so many people face...
> >
> > Perhaps those people should do what I do: create special MySQL users
> > (@localhost), unprivileged to the max, with only very narrow SELECT
> > privileges to the databases they are supposed to read data from, and use
> > those users to access the MySQL server in your CGI.
> >
> > - Mark
> >
> >
> > ---------------------------------------------------------------------
> > Before posting, please check:
> >    http://www.mysql.com/manual.php   (the manual)
> >    http://lists.mysql.com/           (the list archive)
> >
> > To request this thread, e-mail <[EMAIL PROTECTED]>
> > To unsubscribe, e-mail <[EMAIL PROTECTED]>
> > Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
> >
>
>
> ---------------------------------------------------------------------
> Before posting, please check:
>    http://www.mysql.com/manual.php   (the manual)
>    http://lists.mysql.com/           (the list archive)
>
> To request this thread, e-mail <[EMAIL PROTECTED]>
> To unsubscribe, e-mail
> <[EMAIL PROTECTED]>
> Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
>
>
>
> ---------------------------------------------------------------------
> Before posting, please check:
>    http://www.mysql.com/manual.php   (the manual)
>    http://lists.mysql.com/           (the list archive)
>
> To request this thread, e-mail <[EMAIL PROTECTED]>
> To unsubscribe, e-mail
<[EMAIL PROTECTED]>
> Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
>
>
>
>
> ---------------------------------------------------------------------
> Before posting, please check:
>    http://www.mysql.com/manual.php   (the manual)
>    http://lists.mysql.com/           (the list archive)
>
> To request this thread, e-mail <[EMAIL PROTECTED]>
> To unsubscribe, e-mail
<[EMAIL PROTECTED]>
> Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
>

Sincerely,

William Mussatto, Senior Systems Engineer
CyberStrategies, Inc
ph. 909-920-9154 ext. 27




---------------------------------------------------------------------
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/           (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

Reply via email to