You'd assume those ENV variables are secure.. or secure "enough". I know
there's no such thing as perfect security, but I still wonder if there's a
better way.
Although at this point, if there was a way to read other process/subprocess ENV
variables, it'd most likely be something an attacker would have to get at by
being fairly close to the system (trojan installed as root and exploiting an OS
bug that allowed access to ENV variables from other processes for example). So
I'm guessing this is about as secure as you're going to get for now.
The problem still bugs me though.. hah.
-TG
= = = Original message = = =
[EMAIL PROTECTED] wrote:
> If you did use ENV to set the username and password, you could always unset
> it using the same method after you ran the mysql command. So it'd only be
> exposed for a very brief period of time and slightly less accessible than
> just running a process list.
>
indeed I do the following directly after the relevant call to exec() :
putenv('MYSQL_PLESK_PWD=doreallythinkIwouldleavethispwdfloatingaroundinashellenv?');
> It still falls under the category of "security through obscurity" which isn't
> a best practice scenario. But I can't think of another way to run mysql
> under these circumstances that's any better.
but given that the ENV var is only available to the shell php in currently
running in (and any subshells) so
the script is only vulnerable to mistakes/attacks from 'inside' the script -
basically I'm assuming that
whatever is stored in the ENV of a shell is not accessible/visible to other
users on the given system.
is that assumption correct?
>
> -TG
___________________________________________________________
Sent by ePrompter, the premier email notification software.
Free download at http://www.ePrompter.com.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
