[Discuss] Passwords in Source Code?? Or, How to secure interprocess communications?

Matthew Gillen me at mattgillen.net
Sat Jan 31 12:48:31 EST 2015


Set up postgres to only allow connections from the loopback.  Put the db
credentials in a file, then rely on file-system permissions and/or
SElinux to prevent access to that file from other processes on the
system.  This is the sort of thing SELinux is really designed for.

Matt

On 1/31/2015 10:56 AM, Eric Chadbourne wrote:
> FWIW, in PHP you often put the PostgreSQL user credentials in the code.  Usually a config file somewhere.  You can also place sensitive files outside of your web root with proper permissions.  If all running on a local box I don’t open the ports or set the db config to allow other connections.  It seems reasonably secure.
> 
> I am curious as to what others do.
> 
> The PostgreSQL docs have a ton of great info.
> 
> - Eric
> 
> 
> 
>> On Jan 31, 2015, at 10:28 AM, Kent Borg <kentborg at borg.org> wrote:
>>
>> Related to my previous database questions...
>>
>> Normally I think of a program as trusting itself, having some integrity, maybe not even having gaping bugs or security holes. But what if I the program I am writing is talking to another, such as Postgres? Postgres has the ability to do passwords, so do I just put a password in my program source? Set Postgres to only accept local connections, and hope for the best? Seems wrong. Do I try to put both in a chroot or something?
>>
>> My program already has to hope that its program files are secured by the hosting OS, but at least if it isn't opening up a network port it stays a rather contained problem.
>>
>> (I want multiple programs talking to the database, so no, I can't just link in Sqlite.)
>>
>> Seems a general problem of securing interprocess communications.
>>
>> Thoughts?
>>
>> Thanks,
>>
>> -kb, the Kent who knows that people Google for passwords, search github for passwords, and get a lot of juicy results.
>> _______________________________________________
>> Discuss mailing list
>> Discuss at blu.org
>> http://lists.blu.org/mailman/listinfo/discuss
> 
> _______________________________________________
> Discuss mailing list
> Discuss at blu.org
> http://lists.blu.org/mailman/listinfo/discuss
> 




More information about the Discuss mailing list