What's best way to secure a database connection string?
I am writing a set of database-driven applications in PHP. These applications will run on a Linux server as its own user. Other users will likely be on the system at times, but have very controlled access. Other servers they will not have access to at all. I will also expose a limit stored procedure API to developers who need to write Perl scripts that access the database using a DBI and a set of functions I write.
My question is what the best way to secure the config files that have connection strings in them?
Is a different user with [4+]00 permissions on the file sufficient? Should I encrypt them? That seems to just shift the problem elsewhere so that I worry about where to store an encryption key. I realize the Perl developers will need to have a connection string of their own as they will only have execute database permissions.
If the machine really is being administered in the traditional Unix fashion, where J. Random user isn't off su-ing to root all the time, I'd say that filesystem permissions are your best bet. If someone gets unauthorized root access, no amount of encryption silliness is going to "secure" the connection string.
I'd mark the files w/ the connection string as owned by the "script user" and give them access as you describe.
(Bravo for realizing that encrypting the connection string doesn't buy you anything, in this example. Security through obscurity is counter-productive.)
Here's a link to a free Apache module that helps to manage access to a password store:
It seems a little elaborate to me, and requires you run PHP under mod_php. And still it doesn't address the possibility that unauthorized people who have access to the server can just read your password file.
I think you have to rely on file permissions, and trust that unauthorized people don't have the ability to sudo to your PHP application UID, or to root.
My best solution so far has been to store config files in an encrypted partition so that people with direct access to the machine can't pull the passwords off by connecting the drive to another PC, and with file system permissions so people can't read the file from inside the OS itself.
You need to understand, though, that there's not much you can do against an attacker with direct access to the machine. If it's running the database server itself, then securing the config files won't have much effect if he can modify the database itself. Just make sure that everything is as secure as it can be and you'll probably be okay.