Mark Ferraretto wrote:
>
> Hello all,
>
> This may be a FAQ somewhere so just point me there if this is the case.
>
> I am using MySQL + PHP + apache to write an application that requires
> row-level security (I posted a message about this a week or two ago).
> It's all in place now but I'd like some feeback on my implementation
> especially with a view to potential security holes.
>
> I don't use MySQL security. This is because it can't provide row-level
> security and can be bypassed using a client that's not mine.
>
> So, access to the database is through a single mysql user who has complete
> rights to the database. I have created some security tables and I use
> them to control access.
>
> The username and password are stored as cookies through the browser. If
> the cookies don't exist (or have expired), a login screen is displayed.
>
> How does this look? The mysql user and password exist in plain text in a
> .php file. Can this ever be retrieved by a user or will apache always
> generate the html when it sees that it's a php file?
>
> What are the security implications of using cookies? I have the plaintext
> username in one cookie and the mysql-encrypted password in another.
> Neither cookie is called 'user' or 'password' or something like that.
> I've kept the names cryptic.
>
> Thanks for your input.
>
> Mark
Mark,
Consider the following:
SSL would be a big plus. Deny telnet to the machine except absolutely trusted
users/machines. They'll see the user who has access and will be able to mysql
-uthatuser -pthatuserspassword and look at what's in there. If you've missed a
grant somewhere, you could compromise data.
Deny ftp to the machine. If they can ftp, they can get the security .php3
files, and, do the same. If this poses a publishing problem, consider front
page extensions on the server. I have found it compromise proof, but, have not
tested it as vehemently as I'd like to, but, it appears very secure.
Deny foreign host access to the mysql database through grants.
Run your apache as user whatever, where that user has /dev/null as their shell
in /etc/passwd.
Run your mysql as dbuser.dbgroup where dbuser and dbgroup are something
arbitrarily named and their directories have only access by that group, and,
your users don't have access, except for the real administrators of the server.
Use ipchains (on Linux), or some other firewalling technique to block all
ports/hosts not necessary for administration and are trusted.
In case of crash, ensure you do not fire up the web-server before getting the
php3/apache server back up, or your php3 files will not be parsed.
None of the above should be alarming, since I've been able to manage through all
these things since PHP-FI2, and, haven't had anyone compromise me, yet. I'll
admit, they're fairly low usage sites, but, I've logged 100+ attempts through my
security monitors, and, many were malicious. I have 15 servers running this
config on the 'Net proper and have taken about 300,000 hits combined.
Hope this helps. If you need assistance obtaining any of these tools, let me
know. I'll be happy to oblige.
Regards,
Van
--
=========================================================================
Linux rocks!!! http://www.dedserius.com
=========================================================================
