phpwiki-talk

RE: [Phpwiki-talk] Permissions for index.php -- hide MySQL password?

[Sergio T. <ser...@ho...>]

>From: Robert Dodier <rob...@ya...>
>To: php...@li...
>Subject: [Phpwiki-talk] Permissions for index.php -- hide MySQL password?
>Date: Mon, 22 Dec 2003 08:55:43 -0800 (PST)
>
>Hello everyone,
>
>I've installed PhpWiki on my project website at SourceForge
>and I have to say, it is really terrific! Thanks to the
>development team for a job well done.
>
>I have a question about the MySQL password. I see that I
>can put the admin password in index.php in encrypted form --
>that's great. But can I also encrypt the MySQL password?
>
>It seems like a security problem, since index.php must be
>readable by the web server; it might be possible for anyone
>with a login on the project servers to read the MySQL password.
>
>I've read through archives for PHP, MySQL, and PhpWiki, but
>there doesn't seem to be a definitive solution. It seems the
>standard operating procedure is to ask the SF sysadmins to
>"chgrp nobody index.php". Is there another way?
>
>It may be not so much of an issue, since by design, a wiki
>is pretty much wide open for abuse anyway. But it seems
>like the MySQL-password-in-a-script problem must be
>generic to many SF projects that use MySQL.
>
>How was this problem solved for the PhpWiki project
>demonstration wiki?
>
>Thanks for any light you can shed on this issue --
>
>Robert Dodier

I saw someone also post recently about using a .htaccess file (presumably 
using Basic Authentication) which is really perhaps not a good idea 
considering the password gets sent in the clear. Also noticed the suggestion 
to use mod_auth_mysql. But getting back to the idea of authenticating for 
access to a PHPWiki instance via the context of .htaccess (or directory 
context in httpd.conf, etc.) ... what about the possibility of using Digest 
Authentication (mod_auth_digest)? I know its still considered experimental 
by Apache since the server doesn't check the nonce reflected by the browser 
(and for a while there was a problem with browsers not supporting MD5 digest 
authentication), but most modern day browsers I think are now supporting 
digest access. Perhaps its overkill to use both digest (such as at the 
Wiki's root directory such that .htaccess files are not constantly being 
parsed by httpd for every request in subrealms)? Just an idea perhaps worth 
contemplating.

Peace on Earth,

Serj

_________________________________________________________________
Add photos to your messages with MSN 8. Get 2 months FREE*. 
http://join.msn.com/?page=features/featuredemail

Re: [Phpwiki-talk] Permissions for index.php -- hide MySQL password?

[Reini U. <ru...@x-...>]

Sergio Trejo schrieb:
> I saw someone also post recently about using a .htaccess file 
> (presumably using Basic Authentication) which is really perhaps not a 
> good idea considering the password gets sent in the clear. Also noticed 
> the suggestion to use mod_auth_mysql. But getting back to the idea of 
> authenticating for access to a PHPWiki instance via the context of 
> .htaccess (or directory context in httpd.conf, etc.) ... what about the 
> possibility of using Digest Authentication (mod_auth_digest)? I know its 
> still considered experimental by Apache since the server doesn't check 
> the nonce reflected by the browser (and for a while there was a problem 
> with browsers not supporting MD5 digest authentication), but most modern 
> day browsers I think are now supporting digest access. Perhaps its 
> overkill to use both digest (such as at the Wiki's root directory such 
> that .htaccess files are not constantly being parsed by httpd for every 
> request in subrealms)? Just an idea perhaps worth contemplating.

You can setup any auth scheme, whatever you want.
But I don't think that http digest auth has wide client support. 
everybody still uses Basic, with the password md5'ed in the header. but 
you need a sniffer to get at these.

What I wrote about .htaccess auth, is that we will include a file-style 
auth scheme, which can be used optionally, similar to basic http auth.
That means, you don't get the browsers popup with user/password, instead 
you can login at the normal phpwiki login page and authenticate against 
any htaccess style file. (username:encrypted_password\n...)
such files are very simple to maintain and easier to setup, than http 
auth, which needs support by the local system administrator.
-- 
Reini Urban
http://xarch.tu-graz.ac.at/home/rurban/

Re: [Phpwiki-talk] Permissions for index.php -- hide MySQL password?

[Reini U. <ru...@x-...>]

Reini Urban schrieb:
> You can setup any auth scheme, whatever you want.
> But I don't think that http digest auth has wide client support. 
> everybody still uses Basic, with the password md5'ed in the header. 

oops, base64 of course.
-- 
Reini Urban