Am 12.07.2013 um 18:57 schrieb Mariano Martinez Peck <[email protected]>:
> > > > On Fri, Jul 12, 2013 at 11:56 AM, Sven Van Caekenberghe <[email protected]> wrote: > > On 12 Jul 2013, at 16:44, Norbert Hartl <[email protected]> wrote: > > > Maybe you can specify your problem a bit more so. > > I think what he basically means: the app needs to access the db, for which it > needs a db password. How should he store it ? > > > Yes, exactly. > Answering also to Norbert...that's the case. Say someone hacks the server and > has access to files. It would be too simple to browse a .txt file with data > and get the password as plain text. > (I will answer more in Norbert mail) If you can do it with filesystem permissions you are safe. If someone hacks your server it is important which priviledge he is able to gain. If you store the password file for root read-only there is no way around it. Either the intruder gains priviledge of the user of your image and won't be able to read the password file but still is under control of your image that has the password stored internally. If the intruder gains root priviledge it isn't important to protect the password fail because he has complete access to the database if the database runs on the same machine. I'm curious about your reply to my mail :) Norbert > > It also depends if there is only one db password, or one for each user, and > in the latter case, if it is the same as the one entered by the user. > > > No, the db password is not supplied by the user. But it's not only one > password either. There are a few (because there are a few databases). But all > the users will use the same DB password/username. > > Thanks! > > > -- > Mariano > http://marianopeck.wordpress.com
