CGI and Password security

Anonymous Monk has asked for the wisdom of the Perl Monks concerning the following question:

Hi all. Suppose my CGI scripts run as user 'nobody'. If someone logs in and I serve some data from a database, I don't want someone seeing the database password. In theory they don't, but if somebody accidentally gets my source code, there it is!

my $dbh = DBI->connect( 'dbi:ODBC:sometable','someuser', 'somepass', {
+RaiseError=>1}) or die DBI->errstr;
[download]

How can I protect that? My thought is to move the password into a file and out of any directories that the Web server serves files from and set the owner of that file as 'nobody' with read/write permissions. Of course, I would use crypt or a digest to further protect that password.

Is it the best method of protecting passwords? Will it work on Windows? I do not know much about operating systems, so type slow :)

jatzger

Comment on CGI and Password security Download Code

Replies are listed 'Best First'.
Re: CGI and Password security by Masem (Monsignor) on Jun 22, 2001 at 23:37 UTC
The best way to do this is to move the password and other connection details to some other place besides the CGI or HTML serving dir. This can include the web server configuration files (if the server can handle this and has various mods; for example, Apache with Apache::DBI can have initiation info in the httpd.conf), or using a database-dependant way of initializing the connection based on files from the 'users' home directory (Mysql, for example, will look at the user's ~/my.cfg if connection parameters are not given). Both of these methods are more secure that setting the values in CGI, in that the malicious user would need to gain access via means other than http to get this information. Dr. Michael K. Neylon - mneylon-pm@masemware.com \|\| "You've left the lens cap of your mind on again, Pinky" - The Brain	[reply]
Re: CGI and Password security by Zaxo (Archbishop) on Jun 23, 2001 at 05:47 UTC
I like to set up "~/lib/myconnect.pl" containing: `use strict; use DBI; { my $user = 'someuser'; my $pass = 'somepass'; sub myconnect() { DBI->connect( 'dbi:ODBC:sometable',$user, $pass, {RaiseError=> +1}) or die DBI->errstr; # or whatever } } 1;` [download] A cgi script should `use lib "$path_to_home/lib";` and `require "myconnect.pl";` Update: I should say how to finish this securely. The connection lib ~/lib/myconnect.pl must not be readable by other users. This is easiest to arrange (on Apache/*nix) if the suexec option is on for cgi and 'chmod 600 ~/lib/myconnect.pl'. The lib does not need to be executable, but must be readable by the cgi handler. Sorry, I'm not familiar enough with IIS to say how it should be set up there. ++crazyinsomniac, who is kindly teaching me to explain my posts better. After Compline, Zaxo	[reply] [d/l] [select]
Re: CGI and Password security by Anonymous Monk on Jun 25, 2001 at 18:54 UTC
How about an environment variable?	[reply]