3 Apr
2009
3 Apr
'09
4:44 a.m.
Hi Guys,
I am working on an application which needs to connect to MySQL database for
updating/insertion etc. For the application to pickup the username/password
I've created a config file somewhere on the system which looks like this:
<snip>
[mysqld]
user=root
password=mypassword
port=3306
</snip>
Problem is that this file can be read by root on that server and my password
pretty much known to anyone who has root access. Is there anyway I can keep
the password in encrypted format and still connect to mysql database? . Just
to give an example of what I am looking at, in openldap you can generate a
password in encrypted format using slappasswd -t {MD5} -s mypassword and
store it in your slapd.conf file. Even if someone does get access to
slapd.conf, still s/he cannot decrypt the password very easily.
Please note that I cannot hard code the password into my application, since
the root password for MySQL is subject to change without notice to me.
TIA,
Chiragz
3 Apr
3 Apr
5:16 a.m.
On Friday 03 April 2009, Chirag R wrote:
Hi Guys,
I am working on an application which needs to connect to MySQL
database for updating/insertion etc. For the application to pickup
the username/password I've created a config file somewhere on the
system which looks like this:
<snip>
[mysqld]
user=root
password=mypassword
port=3306
</snip>
Problem is that this file can be read by root on that server and my
password pretty much known to anyone who has root access.
Who cares about some crappy password once they have root access.
Is there
anyway I can keep the password in encrypted format and still
connect to mysql database? . Just to give an example of what I am
looking at, in openldap you can generate a password in encrypted
format using slappasswd -t {MD5} -s mypassword and store it in your
slapd.conf file. Even if someone does get access to slapd.conf,
still s/he cannot decrypt the password very easily.
"Easily" is a very relative term.
--
Rgds
JTD
5:23 a.m.
On Fri, Apr 3, 2009 at 10:46 AM, jtd <jtd(a)mtnl.net.in> wrote:
On Friday 03 April 2009, Chirag R wrote:
What do you do when you have two different admins? One for MySQL (database
guy) and the System admin (root guy)?
Hi Guys,
I am working on an application which needs to connect to MySQL
database for updating/insertion etc. For the application to pickup
the username/password I've created a config file somewhere on the
system which looks like this:
<snip>
[mysqld]
user=root
password=mypassword
port=3306
</snip>
Problem is that this file can be read by root on that server and my
password pretty much known to anyone who has root access.
Who cares about some crappy password once they have root access.
5:33 a.m.
On Friday 03 April 2009, Chirag R wrote:
On Fri, Apr 3, 2009 at 10:46 AM, jtd
<jtd(a)mtnl.net.in> wrote:
Root is king. ALWAYS.
--
Rgds
JTD
On Friday 03 April 2009, Chirag R wrote:
What do you do when you have two different admins? One for MySQL
(database guy) and the System admin (root guy)? Hi Guys,
I am working on an application which needs to connect to MySQL
database for updating/insertion etc. For the application to
pickup the username/password I've created a config file
somewhere on the system which looks like this:
<snip>
[mysqld]
user=root
password=mypassword
port=3306
</snip>
Problem is that this file can be read by root on that server
and my password pretty much known to anyone who has root
access.
Who cares about some crappy password once they have root access. 
5:38 a.m.
On Fri, Apr 3, 2009 at 10:53 AM, Chirag R <crazylinuxer(a)gmail.com> wrote:
What do you do when you have two different admins? One
for MySQL (database
guy) and the System admin (root guy)?
Are you worried about your password? Or about the root accessing the database?
The latter can happen even without him knowing your password. And
former you can use a different password besides your
top_secret_password.
Or is there some other reason why you'd want to hide the password from
root user?
--
"Ninety percent of baseball is half mental." -- Yogi Berra
5:58 a.m.
On Fri, Apr 3, 2009 at 11:08 AM, Mehul Ved <mehul.n.ved(a)gmail.com> wrote:
On Fri, Apr 3, 2009 at 10:53 AM, Chirag R
<crazylinuxer(a)gmail.com> wrote:
What do you do when you have two different
admins? One for MySQL
(database
guy) and the System admin (root guy)?
Are you worried about your password? Or about the root accessing the
database?
The latter can happen even without him knowing your password. And
former you can use a different password besides your
top_secret_password. Or is there some other reason why you'd want to
hide the password from
root user?
Thanks for you reply Mehul.
Following reasons :
1. My App looks bad since it requires to store password in clear-text in a
file. This is more of client requirement; they do not want any password to
be stored in clear-text. Take example of Oracle DB, it provides you facility
of Oracle Wallet, using which you can store password and access it via a
tnsname.
2. Accidentally doing a cat even by root will make the password visible.
3. If you send across the system info to support to troubleshoot my App,
this file maybe included. Customer passwords will be exposed to support
guys. (I know customer can remove the password line and send across the
file, but again its about convenience)
I know root can access almost any file and cause damage/modify, but that is
something I am not worried about. The idea is to not keep it ridiculously
easy for someone to crack.
6:13 a.m.
On Friday 03 April 2009 11:28:46 Chirag R wrote:
1. My App looks bad since it requires to store
password in clear-text in a
file.
what programming language are you using?
--
regards
Kenneth Gonsalves
Associate
NRC-FOSS
http://nrcfosshelpline.in/web/
6:27 a.m.
On Friday 03 Apr 2009, Chirag R wrote:
[snip]
Following reasons :
1. My App looks bad since it requires to store password in clear-text
in a file. This is more of client requirement; they do not want any
password to be stored in clear-text. Take example of Oracle DB, it
provides you facility of Oracle Wallet, using which you can store
password and access it via a tnsname.
2. Accidentally doing a cat even by root will make the password
visible.
3. If you send across the system info to support to
troubleshoot my App, this file maybe included. Customer passwords
will be exposed to support guys. (I know customer can remove the
password line and send across the file, but again its about
convenience)
I know root can access almost any file and cause damage/modify, but
that is something I am not worried about. The idea is to not keep it
ridiculously easy for someone to crack.
Since root has access to the whole system, all you can do is move the
plain text from the file to the application. For instance, you could
keep the password encrypted in the config file and let your application
read that and provide a key to decrypt the password and send it to
MySQL. However, that is essentially just shifting the encryption from
one point to another on the system.
If you're a believer in security by obscurity (which I'm not), this
method will work for you. On the other hand, anyone who can access
your application (e.g. root) can extract the algorithm and key from it
and decrypt the password herself if she so desires.
Regards,
-- Raju
--
Raj Mathur raju(a)kandalaya.org http://kandalaya.org/
GPG: 78D4 FC67 367F 40E2 0DD5 0FEF C968 D0EF CC68 D17F
PsyTrance & Chill: http://schizoid.in/ || It is the mind that moves
12:36 p.m.
Chirag R wrote:
1. My App looks bad since it requires to store
password in clear-text in a
file. This is more of client requirement; they do not want any password to
be stored in clear-text. Take example of Oracle DB, it provides you facility
of Oracle Wallet, using which you can store password and access it via a
tnsname
What kinda developer are you?! Cant you figure out this by yourself? Use
a symmetric cipher to store the password. You could use asymmetric
ciphers but I've not put much thought into it. Be creative!
And BTW STOP comparing MySQL with other databases. If you feel it should
have certain features, open up a bug report.
- Dinesh
1:19 p.m.
New subject: Entry level server
Hi,
I need to assemble a web server with apache, MySQL, PHP.
It will mainly run a PHP based small ERP application.
Can someone suggest what kind of hardware I should look for?
Can I use high end Intel desktop motherboard e.g. DG35?
My budget is upto Rs.35,000. (Motherboard, processor, RAM, Cabinet with
power supply)
Thanks
Richard
1:21 p.m.
New subject: Entry level server
HP ML110 G5 server
On Fri, Apr 3, 2009 at 6:49 PM, Richard Correia <richard(a)florix.net> wrote:
Hi,
I need to assemble a web server with apache, MySQL, PHP.
It will mainly run a PHP based small ERP application.
Can someone suggest what kind of hardware I should look for?
Can I use high end Intel desktop motherboard e.g. DG35?
My budget is upto Rs.35,000. (Motherboard, processor, RAM, Cabinet with
power supply)
Thanks
Richard
~~~~~~~~~~~~~~
Sameer Shinde.
M:- +91 98204 61580
Millions saw the apple fall, but Newton was the one who asked why.
3 Apr
3 Apr
3:14 p.m.
New subject: Entry level server
On Friday 03 April 2009 18:49:11 Richard Correia wrote:
I need to assemble a web server with apache, MySQL,
PHP.
why are you hijacking a thread?
--
regards
Kenneth Gonsalves
Associate
NRC-FOSS
http://nrcfosshelpline.in/web/
3:51 p.m.
New subject: Entry level server
Hi Kenneth,
Good evening.
May I request you to please explain what do you mean by "hijacking a
thread"?
Thanks
Richard Correia
-----Original Message-----
From: linuxers-bounces(a)mm.ilug-bom.org.in
[mailto:linuxers-bounces@mm.ilug-bom.org.in] On Behalf Of Kenneth Gonsalves
Sent: Friday, April 03, 2009 8:44 PM
To: GNU/Linux Users Group, Mumbai, India
Subject: Re: [ILUG-BOM] Entry level server
On Friday 03 April 2009 18:49:11 Richard Correia wrote:
I need to assemble a web server with apache, MySQL,
PHP.
why are you hijacking a thread?
--
regards
Kenneth Gonsalves
Associate
NRC-FOSS
http://nrcfosshelpline.in/web/
--
http://mm.glug-bom.org/mailman/listinfo/linuxers
4:12 p.m.
New subject: Entry level server
Richard Correia wrote:
May I request you to please explain what do you mean
by "hijacking a
thread"?
Your question is not related to the current discussion.
If you want to discuss or ask about something new, start a new thread.
Don't reply on older mails to ask your question.
Have a look at this link:
http://www.retouchpro.com/forums/forums-q/6376-question-what-thread-hijacki…
--
Manish Sinha
Blog [ http://blog.manishsinha.net/ ]
Tech Blog [ http://manishtech.wordpress.com/ ]
Twitter [ http://twitter.com/ManishSinha ]
4:14 p.m.
New subject: Entry level server
Richard Correia wrote:
Hi,
I need to assemble a web server with apache, MySQL, PHP.
It will mainly run a PHP based small ERP application.
Can someone suggest what kind of hardware I should look for?
Can I use high end Intel desktop motherboard e.g. DG35?
My budget is upto Rs.35,000. (Motherboard, processor, RAM, Cabinet with
power supply
You hit reply on the thread titled "MySQL encryped passwords". Then you
changed the subject line and wrote your email. Because you were too lazy
to simply copy paste the mailing list's address and compose a new email.
For you, it didn't make any difference. For us, we can see that you did
all of that :) This is called "Thread hijacking". Now all the replies to
your thread will be mixed with the original thread making it really
difficult for us to make out the difference between the two.
Think about others once in a while...
- Dinesh
4:51 p.m.
New subject: Entry level server
Hi,
Okay. Got it ....
I apologize for the mistake, it was unintentional.
Thanks,
Richard Correia
-----Original Message-----
From: linuxers-bounces(a)mm.ilug-bom.org.in
[mailto:linuxers-bounces@mm.ilug-bom.org.in] On Behalf Of Dinesh A. Joshi
Sent: Friday, April 03, 2009 9:44 PM
To: GNU/Linux Users Group, Mumbai, India
Subject: Re: [ILUG-BOM] Entry level server
Richard Correia wrote:
Hi,
5:01 p.m.
New subject: Entry level server
Richard Correia wrote:
I apologize for the mistake, it was unintentional.
I do not post regularly on this list, but still want to say something -
"please avoid top posting". Sometimes it becomes difficult to read. It's
a norm on most of the mailing lists.
It's just an advice given for making this list a more beautiful place :)
For more mailing list rules, please check
http://typo3.org/community/mailing-lists/mailing-list-rules-guidelines/
The above link is not the rules for this list, but for most of the
mailing list in general.
--
Manish Sinha
Blog [ http://blog.manishsinha.net/ ]
Tech Blog [ http://manishtech.wordpress.com/ ]
Twitter [ http://twitter.com/ManishSinha ]
5 Apr
5 Apr
5:03 a.m.
New subject: Entry level server
On Friday 03 Apr 2009, Richard Correia wrote:
Hi,
I need to assemble a web server with apache, MySQL, PHP.
It will mainly run a PHP based small ERP application.
Can someone suggest what kind of hardware I should
look for?
Can I use high end Intel desktop motherboard e.g. DG35?
My budget is upto Rs.35,000. (Motherboard, processor, RAM, Cabinet
with power supply)
IMO, user server grade components for server type applications, unless
you are just doing proof of concept.
An entry level server motherboard, CPU, and a server grade cabinet (with
a good SMPS) will cost you around Rs. 30K. RAM, and hard disk will
vary per the capacity that you want to configure. At a min. configure
RAID1 and 4GB of memory (2*2048MB DIMMs).
--
Arun Khan
10 a.m.
New subject: Entry level server
Richard Correia wrote:
Hi,
I need to assemble a web server with apache, MySQL, PHP.
It will mainly run a PHP based small ERP application.
Can someone suggest what kind of hardware I should look for?
Can I use high end Intel desktop motherboard e.g. DG35?
My budget is upto Rs.35,000. (Motherboard, processor, RAM, Cabinet with
power supply)
DG 35 is is not a high end board, its only high priced. Look at Asus
boards available for AMD processors.
--
Regards,
Rony.
GNU/Linux !
No Viruses
No Spyware
Only Freedom.
3 Apr
3 Apr
1:20 p.m.
New subject: OT - Required server for rent, two month
Hi,
One of my client requires a server for two months on rent.
Rough Specification: Dual Xeon with 4GB RAM, SCSI HDD
Is there anyone who deals into it?
Please contact me on richard(a)florix.net/09764287004
Thanks
Richard
8 Apr
8 Apr
4:25 a.m.
On Fri, Apr 3, 2009 at 6:06 PM, Dinesh A. Joshi <dinesh.a.joshi(a)gmail.com>wrote;wrote:
What kinda developer are you?! Cant you figure out this by yourself? Use
a symmetric cipher to store the password. You could use asymmetric
ciphers but I've not put much thought into it. Be creative!
If he knew how to do it , he wouldn't have asked. If you don't want to help,
don't. There might be others in the list who might want to help.
And BTW STOP comparing MySQL with other databases. If you feel it should
have certain features, open up a bug report.
In my opinion, he compared MySQL to Oracle to put across his point .
- Dinesh
--
http://mm.glug-bom.org/mailman/listinfo/linuxers
Warm Regards
~~~~~~~~~~~~~~~
Vinayak
theregoesanotherday.blogspot.com
1:59 p.m.
Vinayakam Murugan wrote:
If he knew how to do it , he wouldn't have asked.
If you don't want to help,
don't. There might be others in the list who might want to help.
Dear Vinayakam: Please do take some time out and read my reply
*correctly*. It not only gave him the answer to whatever he wanted but
also pointed out that he should've figured it out himself. MySQL has
some very good docs. If there was an answer to his problem it would be
in there. Since its not there, its sufficient to assume that he'll have
to do it himself ( Isn't that the whole point of FOSS / Linux ? ). There
are only so many ways to obfuscate your password. So my point still
stood - he should've figured it out himself
In my opinion, he compared MySQL to Oracle to put
across his point.
So? He had a specific requirement and many people do have such
requirements. I asked him to file a bug report with MySQL so that they
may include it as a feature in one of their future releases. Instead of
copying features from other softwares if he can contribute an original
feature that would be a good thing :)
- Dinesh
5358
days inactive
5363
days old
23 comments
12 participants
participants (12)
-
"Manish Sinha (मनीष सिन्ह ा)" -
Arun Khan -
Chirag R -
Dinesh A. Joshi -
jtd -
Kenneth Gonsalves -
Mehul Ved -
Raj Mathur -
Richard Correia -
Rony -
sameer shinde -
Vinayakam Murugan