0

Is it considered bad practice to have a MySQL query with user:pass as plaintext?

I'm doing this right now (in nginx/roundcube to modify my dovecot passwords) but it seems strange because if I had other system users on the server they could navigate to the config, read the name/pass file and delete password hashes and/or add their own.

Would the suggested fix to simply set any sensitive files to 700 permision? I'm not sure how flexible that would be with some files on the webserver?

If someone could clear this up for me that would be great :-)

rottweilers_anonymous
  • 199
  • 1
  • 7
  • "navigate to the config, read the name/pass file" I hope you don't have 1) plain passwords saved in files 2) those files readable for world-readable. Why can't you hash before querying? Sensitive files should be only readable by the program that needs it, no one else. – sebix Oct 20 '14 at 19:46
  • @sebix What is your solution then? I am trying to use fastcgi_param so that I can define the user:pass in /etc/nginx but I can't get it to work: `$config['password_db_dsn'] = "mysql://'$_SERVER[RC_PASSWORDPLUGIN_USER]':'$_SERVER[RC_PASSWORDPLUGIN_PASSWORD]'@localhost/servermail";` – rottweilers_anonymous Oct 20 '14 at 21:41
  • Alright, I got it working! `$get_user = $_SERVER['RC_PASSWORDPLUGIN_USER']; $get_pass = $_SERVER['RC_PASSWORDPLUGIN_PASSWORD']; $config['password_db_dsn'] = "mysql://$get_user:$get_pass@localhost/servermail";` I can't get around putting a plaintext in /etc/nginx/sites-available though... – rottweilers_anonymous Oct 20 '14 at 22:05
  • And then I can set /etc/nginx/sites-availabe/* to 640 www-data:www-data. Seems better now that it's out of the website root. – rottweilers_anonymous Oct 20 '14 at 22:23

1 Answers1

0

The risk depends somewhat on how you run PHP and the file-system permissions that are supported then.

As for the password being in clear text, as far as I know there's no way yet to avoid having the clear text password somewhere.

From MySQL 5.6 you have the MySQl config editor which allows you to encrypt MySQL login credentials so they're no longer stored in clear text, but as far as I know the typical PHP MySQL libraries won't use that yet and it is more obfuscation than a genuine irreversible hash.

HBruijn
  • 77,029
  • 24
  • 135
  • 201