Re: Site file organization

The only thing I really have to comment on is this line:

data.txt (db connect info--needs to go in secure dir)

I'm not sure what you mean with "secure dir", but I take it you put some data in that file that shouldn't fall into wrong hands. Please note that something like this is really hard to really secure, if there are other users on the system this site runs on. Your http daemon probably runs under some user account with few permissions (nobody, or www, or whatever), but somehow, that user is supposed to be able to read that file. Another user on that machine can do the same (write a little Perl CGI app. that opens and prints the file contents). This is quite a big problem, for which I haven't really seen good solutions besides using things like RSBAC¹ (Linux).

This all may not be appropriate for your specific case, but probably worth mentioning.

--
b10m

¹ please note that up to now, I still have been too lazy to plunge into reading up on RSBAC, and thus this might not even solve the problem ...

All code is usually tested, but rarely trusted.

Comment on Re: Site file organization

Replies are listed 'Best First'.
Re: Re: Site file organization by abell (Chaplain) on Feb 01, 2004 at 09:02 UTC
By using suexec you can have apache run CGIs as the user owing them. If you chmod 600 (-rw-------) the files containing the configuration data, no other user should be able to access them (apart from root). Cheers Antonio The stupider the astronaut, the easier it is to win the trip to Vega - A. Tucket	[reply]
Re: Re: Site file organization by bradcathey (Prior) on Jan 31, 2004 at 20:51 UTC
b10m, I knew that file and explanation would raise eyebrows around the monastery. I am trying to avoid hard coding the dbi connect info into my scripts. I thought about encoding it somehow and having the scripts decode it as it is read. Thanks for the caution which underlines my original reservations. We'll see if another monk as advice, but in the meantime, I'll look at RSBAC. Update: In surfing CPAN I found Crypt::Blowfish and Crypt::CBC that seem to do a good job of what I need--I think. —Brad "A little yeast leavens the whole dough."	[reply]