Hi Guys,
I am working on an application which needs to connect to MySQL database for updating/insertion etc. For the application to pickup the username/password I've created a config file somewhere on the system which looks like this:
<snip>
[mysqld] user=root password=mypassword port=3306 </snip>
Problem is that this file can be read by root on that server and my password pretty much known to anyone who has root access. Is there anyway I can keep the password in encrypted format and still connect to mysql database? . Just to give an example of what I am looking at, in openldap you can generate a password in encrypted format using slappasswd -t {MD5} -s mypassword and store it in your slapd.conf file. Even if someone does get access to slapd.conf, still s/he cannot decrypt the password very easily.
Please note that I cannot hard code the password into my application, since the root password for MySQL is subject to change without notice to me.
TIA, Chiragz
On Friday 03 April 2009, Chirag R wrote:
Hi Guys,
I am working on an application which needs to connect to MySQL database for updating/insertion etc. For the application to pickup the username/password I've created a config file somewhere on the system which looks like this:
<snip>
[mysqld] user=root password=mypassword port=3306
</snip>
Problem is that this file can be read by root on that server and my password pretty much known to anyone who has root access.
Who cares about some crappy password once they have root access.
Is there anyway I can keep the password in encrypted format and still connect to mysql database? . Just to give an example of what I am looking at, in openldap you can generate a password in encrypted format using slappasswd -t {MD5} -s mypassword and store it in your slapd.conf file. Even if someone does get access to slapd.conf, still s/he cannot decrypt the password very easily.
"Easily" is a very relative term.
On Fri, Apr 3, 2009 at 10:46 AM, jtd jtd@mtnl.net.in wrote:
On Friday 03 April 2009, Chirag R wrote:
Hi Guys,
I am working on an application which needs to connect to MySQL database for updating/insertion etc. For the application to pickup the username/password I've created a config file somewhere on the system which looks like this:
<snip>
[mysqld] user=root password=mypassword port=3306
</snip>
Problem is that this file can be read by root on that server and my password pretty much known to anyone who has root access.
Who cares about some crappy password once they have root access.
What do you do when you have two different admins? One for MySQL (database guy) and the System admin (root guy)?
On Friday 03 April 2009, Chirag R wrote:
On Fri, Apr 3, 2009 at 10:46 AM, jtd jtd@mtnl.net.in wrote:
On Friday 03 April 2009, Chirag R wrote:
Hi Guys,
I am working on an application which needs to connect to MySQL database for updating/insertion etc. For the application to pickup the username/password I've created a config file somewhere on the system which looks like this:
<snip>
[mysqld] user=root password=mypassword port=3306
</snip>
Problem is that this file can be read by root on that server and my password pretty much known to anyone who has root access.
Who cares about some crappy password once they have root access.
What do you do when you have two different admins? One for MySQL (database guy) and the System admin (root guy)?
Root is king. ALWAYS.
On Fri, Apr 3, 2009 at 10:53 AM, Chirag R crazylinuxer@gmail.com wrote:
What do you do when you have two different admins? One for MySQL (database guy) and the System admin (root guy)?
Are you worried about your password? Or about the root accessing the database? The latter can happen even without him knowing your password. And former you can use a different password besides your top_secret_password. Or is there some other reason why you'd want to hide the password from root user?
On Fri, Apr 3, 2009 at 11:08 AM, Mehul Ved mehul.n.ved@gmail.com wrote:
On Fri, Apr 3, 2009 at 10:53 AM, Chirag R crazylinuxer@gmail.com wrote:
What do you do when you have two different admins? One for MySQL
(database
guy) and the System admin (root guy)?
Are you worried about your password? Or about the root accessing the database? The latter can happen even without him knowing your password. And former you can use a different password besides your top_secret_password.
Or is there some other reason why you'd want to hide the password from root user?
Thanks for you reply Mehul. Following reasons :
1. My App looks bad since it requires to store password in clear-text in a file. This is more of client requirement; they do not want any password to be stored in clear-text. Take example of Oracle DB, it provides you facility of Oracle Wallet, using which you can store password and access it via a tnsname. 2. Accidentally doing a cat even by root will make the password visible. 3. If you send across the system info to support to troubleshoot my App, this file maybe included. Customer passwords will be exposed to support guys. (I know customer can remove the password line and send across the file, but again its about convenience)
I know root can access almost any file and cause damage/modify, but that is something I am not worried about. The idea is to not keep it ridiculously easy for someone to crack.
On Friday 03 April 2009 11:28:46 Chirag R wrote:
- My App looks bad since it requires to store password in clear-text in a
file.
what programming language are you using?
On Fri, Apr 3, 2009 at 11:43 AM, Kenneth Gonsalves lawgon@au-kbc.orgwrote:
On Friday 03 April 2009 11:28:46 Chirag R wrote:
- My App looks bad since it requires to store password in clear-text in
a
file.
what programming language are you using?
C/C++
On Friday 03 Apr 2009, Chirag R wrote:
[snip] Following reasons :
- My App looks bad since it requires to store password in clear-text
in a file. This is more of client requirement; they do not want any password to be stored in clear-text. Take example of Oracle DB, it provides you facility of Oracle Wallet, using which you can store password and access it via a tnsname. 2. Accidentally doing a cat even by root will make the password visible. 3. If you send across the system info to support to troubleshoot my App, this file maybe included. Customer passwords will be exposed to support guys. (I know customer can remove the password line and send across the file, but again its about convenience)
I know root can access almost any file and cause damage/modify, but that is something I am not worried about. The idea is to not keep it ridiculously easy for someone to crack.
Since root has access to the whole system, all you can do is move the plain text from the file to the application. For instance, you could keep the password encrypted in the config file and let your application read that and provide a key to decrypt the password and send it to MySQL. However, that is essentially just shifting the encryption from one point to another on the system.
If you're a believer in security by obscurity (which I'm not), this method will work for you. On the other hand, anyone who can access your application (e.g. root) can extract the algorithm and key from it and decrypt the password herself if she so desires.
Regards,
-- Raju
Chirag R wrote:
- My App looks bad since it requires to store password in clear-text in a
file. This is more of client requirement; they do not want any password to be stored in clear-text. Take example of Oracle DB, it provides you facility of Oracle Wallet, using which you can store password and access it via a tnsname
What kinda developer are you?! Cant you figure out this by yourself? Use a symmetric cipher to store the password. You could use asymmetric ciphers but I've not put much thought into it. Be creative!
And BTW STOP comparing MySQL with other databases. If you feel it should have certain features, open up a bug report.
- Dinesh
Hi,
I need to assemble a web server with apache, MySQL, PHP.
It will mainly run a PHP based small ERP application.
Can someone suggest what kind of hardware I should look for?
Can I use high end Intel desktop motherboard e.g. DG35?
My budget is upto Rs.35,000. (Motherboard, processor, RAM, Cabinet with power supply)
Thanks Richard
HP ML110 G5 server
On Fri, Apr 3, 2009 at 6:49 PM, Richard Correia richard@florix.net wrote:
Hi,
I need to assemble a web server with apache, MySQL, PHP.
It will mainly run a PHP based small ERP application.
Can someone suggest what kind of hardware I should look for?
Can I use high end Intel desktop motherboard e.g. DG35?
My budget is upto Rs.35,000. (Motherboard, processor, RAM, Cabinet with power supply)
Thanks Richard
~~~~~~~~~~~~~~ Sameer Shinde. M:- +91 98204 61580 Millions saw the apple fall, but Newton was the one who asked why.
On Friday 03 April 2009 18:49:11 Richard Correia wrote:
I need to assemble a web server with apache, MySQL, PHP.
why are you hijacking a thread?
Hi Kenneth,
Good evening.
May I request you to please explain what do you mean by "hijacking a thread"?
Thanks Richard Correia
-----Original Message----- From: linuxers-bounces@mm.ilug-bom.org.in [mailto:linuxers-bounces@mm.ilug-bom.org.in] On Behalf Of Kenneth Gonsalves Sent: Friday, April 03, 2009 8:44 PM To: GNU/Linux Users Group, Mumbai, India Subject: Re: [ILUG-BOM] Entry level server
On Friday 03 April 2009 18:49:11 Richard Correia wrote:
I need to assemble a web server with apache, MySQL, PHP.
why are you hijacking a thread?
Richard Correia wrote:
May I request you to please explain what do you mean by "hijacking a thread"?
Your question is not related to the current discussion. If you want to discuss or ask about something new, start a new thread. Don't reply on older mails to ask your question.
Have a look at this link: http://www.retouchpro.com/forums/forums-q/6376-question-what-thread-hijackin...
Richard Correia wrote:
Hi,
I need to assemble a web server with apache, MySQL, PHP.
It will mainly run a PHP based small ERP application.
Can someone suggest what kind of hardware I should look for?
Can I use high end Intel desktop motherboard e.g. DG35?
My budget is upto Rs.35,000. (Motherboard, processor, RAM, Cabinet with power supply
You hit reply on the thread titled "MySQL encryped passwords". Then you changed the subject line and wrote your email. Because you were too lazy to simply copy paste the mailing list's address and compose a new email. For you, it didn't make any difference. For us, we can see that you did all of that :) This is called "Thread hijacking". Now all the replies to your thread will be mixed with the original thread making it really difficult for us to make out the difference between the two.
Think about others once in a while...
- Dinesh
Hi,
Okay. Got it ....
I apologize for the mistake, it was unintentional.
Thanks, Richard Correia
-----Original Message----- From: linuxers-bounces@mm.ilug-bom.org.in [mailto:linuxers-bounces@mm.ilug-bom.org.in] On Behalf Of Dinesh A. Joshi Sent: Friday, April 03, 2009 9:44 PM To: GNU/Linux Users Group, Mumbai, India Subject: Re: [ILUG-BOM] Entry level server
Richard Correia wrote:
Hi,
Richard Correia wrote:
I apologize for the mistake, it was unintentional.
I do not post regularly on this list, but still want to say something - "please avoid top posting". Sometimes it becomes difficult to read. It's a norm on most of the mailing lists. It's just an advice given for making this list a more beautiful place :)
For more mailing list rules, please check http://typo3.org/community/mailing-lists/mailing-list-rules-guidelines/ The above link is not the rules for this list, but for most of the mailing list in general.
On Friday 03 Apr 2009, Richard Correia wrote:
Hi,
I need to assemble a web server with apache, MySQL, PHP.
It will mainly run a PHP based small ERP application.
Can someone suggest what kind of hardware I should look for?
Can I use high end Intel desktop motherboard e.g. DG35?
My budget is upto Rs.35,000. (Motherboard, processor, RAM, Cabinet with power supply)
IMO, user server grade components for server type applications, unless you are just doing proof of concept.
An entry level server motherboard, CPU, and a server grade cabinet (with a good SMPS) will cost you around Rs. 30K. RAM, and hard disk will vary per the capacity that you want to configure. At a min. configure RAID1 and 4GB of memory (2*2048MB DIMMs).
Richard Correia wrote:
Hi,
I need to assemble a web server with apache, MySQL, PHP.
It will mainly run a PHP based small ERP application.
Can someone suggest what kind of hardware I should look for?
Can I use high end Intel desktop motherboard e.g. DG35?
My budget is upto Rs.35,000. (Motherboard, processor, RAM, Cabinet with power supply)
DG 35 is is not a high end board, its only high priced. Look at Asus boards available for AMD processors.
Hi,
One of my client requires a server for two months on rent.
Rough Specification: Dual Xeon with 4GB RAM, SCSI HDD
Is there anyone who deals into it?
Please contact me on richard@florix.net/09764287004
Thanks Richard
On Fri, Apr 3, 2009 at 6:06 PM, Dinesh A. Joshi dinesh.a.joshi@gmail.comwrote:
What kinda developer are you?! Cant you figure out this by yourself? Use a symmetric cipher to store the password. You could use asymmetric ciphers but I've not put much thought into it. Be creative!
If he knew how to do it , he wouldn't have asked. If you don't want to help, don't. There might be others in the list who might want to help.
And BTW STOP comparing MySQL with other databases. If you feel it should have certain features, open up a bug report.
In my opinion, he compared MySQL to Oracle to put across his point .
- Dinesh
Warm Regards ~~~~~~~~~~~~~~~ Vinayak
theregoesanotherday.blogspot.com
Vinayakam Murugan wrote:
If he knew how to do it , he wouldn't have asked. If you don't want to help, don't. There might be others in the list who might want to help.
Dear Vinayakam: Please do take some time out and read my reply *correctly*. It not only gave him the answer to whatever he wanted but also pointed out that he should've figured it out himself. MySQL has some very good docs. If there was an answer to his problem it would be in there. Since its not there, its sufficient to assume that he'll have to do it himself ( Isn't that the whole point of FOSS / Linux ? ). There are only so many ways to obfuscate your password. So my point still stood - he should've figured it out himself
In my opinion, he compared MySQL to Oracle to put across his point.
So? He had a specific requirement and many people do have such requirements. I asked him to file a bug report with MySQL so that they may include it as a feature in one of their future releases. Instead of copying features from other softwares if he can contribute an original feature that would be a good thing :)
- Dinesh
-
"Manish Sinha (मनीष सिन्ह ा)" -
Arun Khan -
Chirag R -
Dinesh A. Joshi -
jtd -
Kenneth Gonsalves -
Mehul Ved -
Raj Mathur -
Richard Correia -
Rony -
sameer shinde -
Vinayakam Murugan