|
|
|
| Welcome to the Monastery | |
| PerlMonks |
Re: Re: Re: Obscuring sensitive data in Perl code?by Anonymous Monk |
| on Mar 10, 2001 at 03:20 UTC ( [id://63396]=note: print w/replies, xml ) | Need Help?? |
|
To spell it out more explicitly... Make your program setgid and make it owned by a new group such as "wwwpass". Hide your database username/password combo in a separate file which can only be read by the group "wwwpass". Now only your program can read the file. Before it does, have your program authenticate the user somehow. If this authentication fails, just terminate the program. If it passes, go ahead and read the sensitive data from that external file. This way, even if a user finds out where the sensitive data is hidden, he can't read it unless he uses your program and passes your authentication test. You can use setuid instead of setgid if you must, but I personally feel safer using setgid and using a new group name which is dedicated to this task alone. The only drawback to all of this is that you must now ensure that your program will pass "taint" checks. But is that really a drawback? Buckaduck
In Section
Seekers of Perl Wisdom
|
|
||||||||||||||||||||||||||