Obscuring mySQL password
Running this on a shared server, I have some security problems.
Apache runs as nobody, so the files need to be w=r. Anyone else on the server can read my mySQL username and password information.
I found an article on the web that suggested setting the php variable open_basedir in Apache to my home directory - and of course to do this in all the virtualhost entries of the config file.
I'll talk with my hosting company to make this change; however I don't have confidence they will do so based on prior technical support experiences. Do any of you automatically set this in your Apache config files on servers you manage?
The w=r problem is harder to solve on my server. The suggestion in the prior mentioned article was to set all the user accounts in the same group in the server, and make sure that the web server runs in a different group. Setting the protections on the files to 604 will then allow the web server process to read the files, but not any other users on the box.
The accounts on my server are all in unique groups. This precludes the 604 protection trick. Are there any hosts out there that actually do this? Is it adaquate to keep people on a shared server from reading my files?
Any other ideas? How about a way to effectively read in the password in an encrypted form then decrypt it in the PHP application to use it? This would have to be done in a manner that would be hard to reverse engineer with the PHP source code, but... I was thinking about a binary distributed withe the application that did the encryption/decryption with a reversable algorythm that was not part of the PHP code...
Any ideas?
Thanks,
-t
