I've read more messages from Apache users list and the Apache experts say that if the web server is run by your own account this can create more security problems. I don't know what problems and I would also like to know but if someone wants to know, you can subscribe to that list.
... or if someone knows, please tell us. Teddy, Teddy's Center: http://teddy.fcc.ro/ Email: [EMAIL PROTECTED] ----- Original Message ----- From: "Larry Brown" <[EMAIL PROTECTED]> To: "MySQL List" <[EMAIL PROTECTED]> Sent: Monday, January 06, 2003 8:23 PM Subject: RE: Hiding the password This is your problem. Change hosting companies. There should be multiple accounts. At least one for each site and nobody from any other site should be able to log in and view your files. It's called chroot and is the most common method of separating customers of a hosting company. If your description is correct and there is only one account that all of the customers use you will have no security what so ever. Larry S. Brown Dimension Networks, Inc. (727) 723-8388 -----Original Message----- From: Octavian Rasnita [mailto:[EMAIL PROTECTED]] Sent: Monday, January 06, 2003 1:34 AM To: Larry Brown; MySQL List Subject: Re: Hiding the password No, we are not talking about the staff of the hosting company. The hosting company runs a single Apache server on a single account on that server for all sites that are sitting on that computer. If the user that runs the web server has access to your files, this means that everyone has access. Teddy, Teddy's Center: http://teddy.fcc.ro/ Email: [EMAIL PROTECTED] ----- Original Message ----- From: "Larry Brown" <[EMAIL PROTECTED]> To: "MySQL List" <[EMAIL PROTECTED]> Sent: Saturday, January 04, 2003 9:50 PM Subject: RE: Hiding the password First, why are we conceding that "everyone can find out your id and password"? Your hosting company has your site separated from other customers' sites right? So we are just talking about the development team for your site being privy to this information. Second, if you are referring to the staff of the hosting company, you can't avoid their ability to access data via your login scripts period. As far as I know they can view all of your communication with the MySQL database and can get that information. If you want tight security hosting it yourself is a must in my view. Larry S. Brown Dimension Networks, Inc. (727) 723-8388 -----Original Message----- From: wcb [mailto:[EMAIL PROTECTED]] Sent: Saturday, January 04, 2003 1:51 PM To: Mark; MySQL Subject: Re: Hiding the password It isn't at all difficult to grasp. Please carefully (and exercising a certain amount of patience) read my post and the previous post upon which my post was based. We are acknowledging that EVERYONE can find out your id and password. The question reformulated is: "Given that one's MySql environment may not be accessible in terms of privs (which is the case for a lot of people, who are paying for hosting by a third party) and given that we CAN'T hide the id/password combination, is the standard arrangement that hosts use (which is to ensure that only localhost can access the database) adequate to prevent people from doing unwanted things in your database? NOTE that I'm assuming that one has a script on localhost, and all users are from another domain, and also assuming that the script is properly set up to constrain the activities of users, does it even matter that people can determine the id/password combination??" Thanks for patient responses. Cheers! -warren > > > Perhaps gurus can comment on what I'm suggesting here - if the database is > > set up so that only "localhost" can access it, then you can use a php or > > PERL script to allow people from elsewhere to cruise in and make queries > > as your script allows. > > Why is this so difficult to grasp? As I, and many others, have pointed out, > repeatedly, it does not matter how many layers you wrap around your > password-retrieval code, as soon as you make the end-result > accessible/readable by your web-CGI, you have done just that: made the > user/password accessible by your web-daemon -- hence, made it accessible to > everyone with access to your web-server. > > And no, adding some sort of access-control within your CGI is equally > useless: as a user being hosted on your web-server I would not bother to run > your CGI, but simply copy it for ocular inspection. :) > > > Certainly I'd appreciate comments on this by people in the know, because > > it is an issue that so many people face... > > Perhaps those people should do what I do: create special MySQL users > (@localhost), unprivileged to the max, with only very narrow SELECT > privileges to the databases they are supposed to read data from, and use > those users to access the MySQL server in your CGI. > > - Mark > > > --------------------------------------------------------------------- > Before posting, please check: > http://www.mysql.com/manual.php (the manual) > http://lists.mysql.com/ (the list archive) > > To request this thread, e-mail <[EMAIL PROTECTED]> > To unsubscribe, e-mail <[EMAIL PROTECTED]> > Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php > --------------------------------------------------------------------- Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail <[EMAIL PROTECTED]> To unsubscribe, e-mail <[EMAIL PROTECTED]> Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php --------------------------------------------------------------------- Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail <[EMAIL PROTECTED]> To unsubscribe, e-mail <[EMAIL PROTECTED]> Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php --------------------------------------------------------------------- Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail <[EMAIL PROTECTED]> To unsubscribe, e-mail <[EMAIL PROTECTED]> Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php --------------------------------------------------------------------- Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail <[EMAIL PROTECTED]> To unsubscribe, e-mail <[EMAIL PROTECTED]> Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
