Protecting a MySQL user/password in a PHP script

(30)

Do you develop a website? It is infinitely better to synchronize live and development sites using the PEAR Installer

(25)

doing the PEAR thing

(19)

Using PEAR 1.4.0 to install PEAR packages on a remote host

(19)

phpDocumentor and __get/__set/__call - give us your ideas (RFC)

(17)

Syndicate This Blog

RSS 0.91 feed

RSS 1.0 feed

RSS 2.0 feed

ATOM 0.3 feed

ATOM 1.0 feed

RSS 2.0 Comments

Powered by

Serendipity PHP Weblog

Saturday, April 1. 2006

Protecting a MySQL user/password in a PHP script

UPDATE 2: Thanks to Chris Shiflett, who provided a link to a real answer in his comment. Clearly, the way to do this within the environment where you have one host and lots of ~users is to use .htaccess. Each user would define in their own /home/user/public_html/.htaccess two environment variables like so:

SetEnv DBUSER mysqluser
SetEnv DBPASS mysqlpass

PHP will get these variables passed in the $_SERVER superglobal as $_SERVER['DBUSER'] and $_SERVER['DBPASS'].

Even better, if the .htaccess is then chowned by an admin to the nobody user and then chmod 0600, it will be unviewable in the shell by anyone but root and apache. It would also be trivial to implement and provide a setuid tool such as "vicrontab" to modify .htaccess if necessary.See Chris Shiflett's last comment on this error

In this way, scripts would look like so:

< php
$db = mysqli_connect('localhost', $_SERVER['DBUSER'], $_SERVER['DBPASS']);
>

This yields completely secure mysql user/pass per-user in a shared environment with 1 virtual host and lots of users who all have shell access.

Two days ago, I gave a talk at the University of Nebraska-Lincoln's computer science department colloquium on open source. At the reception preceding the talk, one of the students asked if there was a good way to protect the user/password of his MySQL scripts. This is an issue I have never run up against because we have a unique IP on the webhost, and it doesn't matter whether someone knows the user/pass, they can only connect directly from that host (and if someone can hack into the host, I doubt the database is the only thing that will be compromised).

Our student, however, had been browsing student accounts and noticed that one student had a particularly attractive webpage that couldn't have been coded by the student. It turned out to be an install of wordpress, so he thought he might give it a try. While installing the program, he noticed that the MySQL username/password was stored in plaintext in a wp-config.php file (or something of that nature), and so thought "hmm, I wonder if other UNL students can see the password." To test, he tried "cat /home/user/public_html/wordpress/wp-config.php" and sure enough: there it was in plain sight. This would not be an issue were it not for the fact that every student runs on the same site, and so all have access to the same mysql space, all they need is the password.

Having never run into this issue before, I came up with a PHP-based solution, and a MySQL-based solution, but neither makes me tremendously happy, so I wonder if any of you have a working solution to this problem in place

What I came up with was:

each user's web space has its own virtual host that is used to grant mysql privileges, so instead of "http://www.example.com/~user" we would have "http://user.students.example.com". In this way, it is not possible to connect to the mysql server unless you are accessing it directly from the web host. This, however, is likely to prevent the usage of the command-line mysql program, as it will attempt to connect from localhost.
The password is saved in a read-only file that is created by the web server itself.

The second method works in tandem with an open_basedir restriction in php.ini to the user's home directory. Basically, how it works is this simple system:

First assume our user is named "joeshmoe" and the user has shell access to /home/joeshmoe, and web root is /home/joeshmoe/public_html, the mysql password is 'mysqlpassword', and we are using PHP 5
login as joeshmoe to the unix shell
mkdir /home/joeshmoe/passwords
chmod 0777 /home/joeshmoe/passwords
save this script as /home/joeshmoe/public_html/savepassword.php:
< php
file_put_contents('/home/joeshmoe/passwords/mypass.php','mysqlpassword');
chmod(0600, '/home/joeshmoe/passwords/mypass.php');
>
browse to "http://www.example.com/~joeshmoe/savepassword.php"
chmod 0000 /home/joeshmoe/passwords
rm /home/joeshmoe/public_html/savepassword.php

At this point, to use the password, all you need to put in your scripts is "file_get_contents('/home/joeshmoe/passwords/mypass.php')" instead of "'mysqlpassword'", and only the webserver will be able to read the file. open_basedir will make it impossible for any external scripts to read the password.

Any comments

Posted by Greg Beaver in PHP at 16:34 | Comments (10) | Trackbacks (0)

Trackbacks

Trackback specific URI for this entry

No Trackbacks

Comments

Display comments as (Linear | Threaded)

I guess you're taking it for granted that the exec* functions are disabled?

#1 Aaron (Homepage) on 2006-04-01 01:21 (Reply)

I don't understand why the script is needed to generate the file. If you just 'chown' the existing config file to the www user, and then use the open_basedir settings, the problem is already solved, isn't it?

#2 Ivo Jansch (Homepage) on 2006-04-01 01:30 (Reply)

Hi Greg,

The real problem here is that all websites served by the webserver (presumably Apache) have to be accessible by whichever user that Apache is configured to run as. What you really need is for each website to be owned by a different user, and for Apache to switch to the unique uid/gid to serve each site.

Two possible ways to do it are mod_suphp and mod_peruser.

Best regards,
Stu

#3 Stuart Herbert (Homepage) on 2006-04-01 02:08 (Reply)

If he can cat another user's files, then that's the problem that needs to be fixed. Either the system administrator should be shot for cocking up security so badly, or the user should be for chmoding wp-config.php 0777.

Either way, surely it'd be easier to just change the wp-config.php permissions? If this was a real issue, every single user of every single shared web host would be crying foul.

#4 Norman on 2006-04-01 06:31 (Reply)

Hi Greg,

Just read your update. Using ACL's is not the answer I'm afraid. All someone needs to do is to upload a PHP script to read the files in another user's website directory, and they can still read the files.

As long as the webserver runs as the same user for accessing all the websites on the box, this hole remains open.

Best regards,
Stu

#5 Stuart Herbert (Homepage) on 2006-04-01 12:30 (Reply)

My favorite solution to this problem comes from the PHP Cookbook and is mentioned near the end of this article:

Security Corner: Shared Hosting

#6 Chris Shiflett (Homepage) on 2006-04-01 16:20 (Reply)

Hi Greg,

I want to clarify one thing. The most important part of the technique from the PHP Cookbook is that the file is only readable by root. The nobody user should not be able to read the file with the access credentials, otherwise this would be possible:

CODE:

readfile('/path/to/secret-stuff');

Hope that helps clarify.

#7 Chris Shiflett (Homepage) on 2006-04-01 20:15 (Reply)

Any host I have access to I quickly tested this SetEnv and it resulted in a 500 Internal Server Error - most likely because mod_env isn't installed by default.

And, aren't the db credentials then displayed on a phpinfo()? Surely not much better when anyone can guess some /info.php over only users on the machine being able to see it imho.

#8 fa (Homepage) on 2006-04-02 06:43 (Reply)

Another solution is to set INI settings for database connection information, for example if you are using MySQL you can use the:

mysql.default_port
mysql.default_socket
mysql.default_host
mysql.default_user
mysql.default_password

So the idea would be to create a file only readable to your account (Unix permissions of 0600) db.conf. Inside this file you would have something like this:

php_admin_value mysql.default_host "localhost"
php_admin_value mysql.default_user "user"
php_admin_value mysql.default_password "password"

Then this file would be loaded through Include httpd.conf directive.
When it comes to connecting to the db, you'd simply do mysql_connect() without any parameters.

#9 Ilia Alshanetsky (Homepage) on 2006-04-02 11:17 (Reply)

I am the person that asked the question of Greg. I have tried the solution presented by Chris, however, it is still not working. I have placed a .htaccess file in my public_html directory containing the SetEnv commands. However, the .htaccess file must be at least chmod 644 for any webpages to load. Thus, and other user on the CSE server can just cat .htaccess and get the user name and password. I don't really know much about .htaccess files, so perhaps there is a way to fix this.

Thanks,

Brandon

#10 Brandon Hauff (Homepage) on 2006-12-14 12:40 (Reply)

Add Comment

Name
Email
Homepage
In reply to
Comment	Standard emoticons like :-) and ;-) are converted to images. E-Mail addresses will not be displayed and will only be used for E-Mail notifications To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly. Enter the string from the spam-prevention image above: BBCode format allowed You can use [geshi lang=lang_name [,ln={y\|n}]][/lang] tags to embed source code snippets
	Remember Information? Subscribe to this entry
Submitted comments will be subject to moderation before being displayed.