On Wed, 28 Mar 2012 11:34:56 -0400, Jeffrey Walton said: > Under Linux, about the best you can do to avoid hard coded passwords > in source files is store the password in a file, and then clamp the > ACL on the file so only tomcat, apache, or whomever can read. > Generally, it means you remove world and group. Or clamp down even further using SELinux, which can get you to the point of "only /usr/bin/httpd can read this file". Combine this with "only the init process can launch httpd", and it gets pretty hard for an attacker to get at the passwords without a complete system compromise. (Yes, it's still vulnerable to "exploit allows running arbitrary code in the httpd process's context" and similar. I *said* "pretty hard", not "impossible" ;)
Attachment:
pgpPyryWLO76l.pgp
Description: PGP signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/