[EMAIL PROTECTED] wrote:
> You'd assume those ENV variables are secure.. or secure "enough". I know
> there's no such thing as perfect security, but I still wonder if there's a
> better way.
>
> Although at this point, if there was a way to read other process/subprocess
> ENV variables, it'd most likely be something an attacker would have to get at
> by being fairly close to the system (trojan installed as root and exploiting
> an OS bug that allowed access to ENV variables from other processes for
> example). So I'm guessing this is about as secure as you're going to get for
> now.
thanks - nice to have a few extra brains executing this 'thought experiment'
>
> The problem still bugs me though.. hah.
yeah it niggles a bit. I keep hunting about now and again to see if I can learn
how
seasoned shell scripters tackle such security issues - undoubtedly I'm not the
first to come
accross these issues, I am after a very small hobbit standing on the shoulders
of very tall ents.
>
> -TG
>
> = = = Original message = = =
>
> [EMAIL PROTECTED] wrote:
>> If you did use ENV to set the username and password, you could always unset
>> it using the same method after you ran the mysql command. So it'd only be
>> exposed for a very brief period of time and slightly less accessible than
>> just running a process list.
>>
>
> indeed I do the following directly after the relevant call to exec() :
>
>
> putenv('MYSQL_PLESK_PWD=doreallythinkIwouldleavethispwdfloatingaroundinashellenv?');
>
>> It still falls under the category of "security through obscurity" which
>> isn't a best practice scenario. But I can't think of another way to run
>> mysql under these circumstances that's any better.
>
> but given that the ENV var is only available to the shell php in currently
> running in (and any subshells) so
> the script is only vulnerable to mistakes/attacks from 'inside' the script -
> basically I'm assuming that
> whatever is stored in the ENV of a shell is not accessible/visible to other
> users on the given system.
>
> is that assumption correct?
>
>> -TG
>
>
> ___________________________________________________________
> Sent by ePrompter, the premier email notification software.
> Free download at http://www.ePrompter.com.
>
.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
