[Subject Prev][Subject Next][Thread Prev][Thread Next][Subject Index][Thread Index]

Re: Mysql

To: <linux-delhi@xxxxxxxxxxxxxxxxxxxxx>
Subject: Re: Mysql
From: "Ambar Roy" <ambarroy@xxxxxxxxx>
Date: Thu, 8 Mar 2001 11:40:24 +0530
References: <20010305132815.24329.qmail@web4106.mail.yahoo.com> <001f01c0a5e9$a3a13cf0$010811ac@BIG>

> What i want to avoid is embeding the root/equivalant user password in my
cgi
> application.
this is something that you can't avoid. What u can try is that u can have a
user that is only allowed to do things that yr cgi program is normally
expected to do! things like add/delete records. Otherwise you will just add
a layer on your cgi program, which will have to hav this password.. There is
no way to escape this trap.

> Ofcoz, I know that 1st of all obtaining the cgi application the reverse
> engineering it and extracting the root password in no joke....But if i
could
> give it a try.....someone else could too ! ;o)
The things that you have to protect is your web server and your mysql db.
The first thing that i do with any remote mysql db is that i allow access to
that database from only the localhost for the root user and for any web apps
the access to each table is given to only those computers that need it. Now
with this thing in place, your database will be quite secure as only your db
server and the web server can access them remotely. If they are on the same
server, then no remote access shud be allowed to the database! With mysql u
can do this very effectively by disabling tcp/ip access. Though this is not
applicable to any client which must use tcp/ip (e.g. java!!!!!) Next comes
the web server. For the web server, no1 from outside shud hav access to any
port other than port 80!! and after that you shud make sure that any
unneeded network services are stopped (this is a standard security measure,
and under linux u can do this very easily using ipchains or iptables!) this
shud ensure in most cases that no1 gets to your cgi app. If some1 can
remotely get to your cgi app's source code, then you have a serious security
flaw. Correct that b4 u even think about protecting your database. No1 shud
ever get the password to your database if u implement these measures. For
more info on security i wud suggest that you read various articles on the
net on firewalling and other measures that you shud take to secure your
servers. Hiding a database password is helpful only if you have many ppl who
are using your web server (which is a very bad idea imho!)

Follow-Ups:
- Re: Mysql
  - From: Raju Mathur

References:
- Re: Mysql
  - From: Chandresh Pant
- Re: Mysql
  - From: Amit Soni

Prev by Subject: Re: Mysql
Next by Subject: Re: Mysql
Previous by thread: Re: Mysql
Next by thread: Re: Mysql
Index(es):
- Subject
- Thread