MySQL - Best strategy to keep generic password secret

suexec will not allow a program to run as root.  There is a way to setup an alias ID to have suexec run as root (thanks to ahoffman for that) but I really don't want to have anything to do with root.

I know that a lot of programs have the same requirement as I and I know that they do not run as root.  Everything from eCommerce apps to discussion group software access a mySQL database and supply and ID and password.

The usual method is to create one or more MySQL users that have the most limited access to the database possible consistant with the needs of the web application. Those user names/passwords will have to be in the Perl, Php, etc., code that comprises the application, so that code needs to be prected to the maximum extent possible.

In the ideal case only SysAdmins actually have login rights on the web server and protection of the web source files is correspondingly easy. If users must be able to manage web sites, meaning uploading page code to the server those users can be limited to FTP where the FTP server doesn't use Linux account information for access and chroot's the FTP user to their site directory. The page code associated with other sites are in site directorys and thus inaccessible.

as said, there is (currently) no programatik way to hide the password needed by a program.
This problem has been discussed several times, all with no (useful) avail.
Protect your file containing the password, that's it.
Best is 400 for root.

If you access MySQL via a webserver, then it's most likely possible to use the password while the webserver starts (and makes a permanent connection), at least apache with mod_perl, fastcgi, php, tt2, etc. can do it. This way you even hide the password from application programmers.

well, another way I sometimes use, is as follows:
  1. setup MySQL to listen on localhost:port only
  2. in mysql.db use a very restrictive entry with IP and username and db, but empty password
  3. setup ~user/.ssh/authorized keys with a valid key
  4. connect to the host (with mysql) with ssh and local port forwarding
      ssh user@remote -i /path/ro/secret.key -L4711:localhost:4242 sleep 1000
  5. connect to mysql without password:
     mysql -P 4242 -h localhost -u user <your-query.sql

This is more of security-by-obscurity 'cause you still need a passwordless ssh-key, to circumvent this you
may use ssh-agent (once at startup)
At least you database is as secure as the system which it runs on *and* the ssh-key (if passwordless).
Even if the passwordless ssh-key gets stolen, someone needs to find out where it is used.

I should have been more clear in that the target environment is a bog standard web host.

For applications that run as root, protecting the password from all but root is pretty easy as ahoffmann points out.  Changing the mysql server listen on the localhost port only is not always an option.  Hiding the ID and password in your code is what I suspect most people do.  The problem there is that once someone finds out the password your application is compromised.   You really need to create a random password and put this in a file.  You can then protect the file from being read by other users on the system.  To me this is not great but it sounds like this question has come up before with no standard answer.  I did search but could not find any threads on this.

I will give this one a few more days.

> ..  listen on the localhost port only is not always an option
no warries.
Let it listen on more than one IP, but protect the localhost  as I said.
If the webserver and database server share the same system, it's even worse.
In such cases I use the vserver patch for the kernel, and run vservers on the same hardware: one vserver for one application (web, database). Some people may arg that this is what M$ does (to make money:), but it's much better, each such vserver only runs init + sshd + application, nothing more. A dozent vservers on a standard hardware are no problem ;-)
This also protects you that one root-compromised system compromises another one.

Using random passwords programatically makes things complicated, and if something fails you also may be lost in nowhere. Just keep in mind ...

> The usual method is just to put the password in a configuration file  ..
> .. make sure you can't do more than needed if you have this password..
hmm, remember this is a Security TA, and the question was "how to do it better"
We all agree, somehow, that this is undoable.
I also prefer KISS - keep it stupid simple - but passwords used programaticaly seem to brake this paradigm ..

What does it break ?

Some examples for common softs as packaged in debian :

For PHPMyAdmin, I have the password in /etc/phpmyadmin
For roundup, it's in $TRACKER_HOME/config.py
For cacti, in /etc/cacti
For mnogosearch , in etc/indexer.conf

It's probably the same for any webmail with a sql backend, or j2ee programs, this is just the usual way to do it.

You have to think at how the password could be compromised: an intruder needs the apache (or anything else running the process) privileges, and at this point you have bigger problems anyway. And whatever the method to get the password is, since your process needs to get it, the intruder can get it too once he has apache privileges.

Alain,

What I don't see is how this could work with SUEXEC with virtual domains since the application that needs to get at those password files would be running as a real user rather than the user specified for Apache.

I thought that suexec was just a suggestion from you, if your process (which language ?) is running with each user identity, you can just put these users in a group who's allowed to read the password file.

This doesn't change the problem, if the program can read a file or whatever to get the password the user can do it too.

If you don't want users to have a direct connection to the database, you can use an intermediate layer. It's more or less easy depending of your language.
For example in python you have pyro which is an object broker really simple to use, you request a distant connection object (initialized by another single multithreaded background process) and use it as if it was created locally.

It looks like this, similar to rmi in java :

import Pyro.core
Pyro.core.initClient()
connection=Pyro.core.getProxyForURI("localhost:7777/connection")
connection.execute("select something from some where")

> .. this is just the usual way to do it.
that's the defect.
If the password can only be read by the server (nobody, wwwrun orwhatever running httpd), a broken application does not compromise the databse security.
Just think of XSS, path enumeration, etc. which might be possible in the application (and PHP applications are far, far, very far away from being secure, unfortunately).

We may discuss if the application or the OS is more likely infected by whatever.
We don't need to talk about getting root-access somehow, then anything is lost. But if the application is seperated from the web-server (httpd), then it's one more level to break.

Yes, my suggestions are something like a proxy.
It's like you go to the bank getting a withdrawal: you cannot go to the vault yourself, even the building is save and protected.

I love a good and lively discussion and there have been some interesting ideas that have come forth.  Let me refer back to my requirements and then clarify them a bit more.

1) mySQL
2) A single database for multiple users
3) SUEXEC

As I have mentioned before I target a web-hosting environment where I cannot make too many demands on the host.  Web hosts typically use SUEXEC to keep user's away from each other.  As long as you have one database per virtual domain / unix user, a password in a file for each user with 600 is grand.  I think this is the case with a lot of applications.  

In my case I want to have one single database for all domains / users.  This means SUEXEC will run the application under the user identity associated with each virtual domain.  Therfore the password file would have to be readable by everyone.  I need SUEXEC because I have to manipulate the user’s files.  Even if I did not, once SUEXEC is enabled it forces all CGI to run under a user’s identity rather than that of the web server.  I have no choice as to whether the web host runs SUEXEC.

I have solved this problem for the project at hand by piping my request to a daemon running as root.  The daemon can suid to the user to manipulate files.   I did this mainly for performance but it looks like I would have had to do it anyway for security reasons.  While all of this is fresh in my mind I am fishing for a simpler solution that I might use in other similar projects.

who needs to care about the passwords used for the database: the human user infront of the browser, or the application accessing the database?

The application accessing the database.

>  The application accessing the database.

Good question because I didn't get it finally: what's the web server doing if the final user uses this application ? What language do you use for the application ?

> what's the web server doing if the final user uses this application ?

Sorry Alain, I am not understanding your question.

The application is a CGI script written in Perl.  It authenticates the user (using FTP/POP),  fools around with the mySQL database and reads / writes files into the user's public_html directory.  It is a site builder tool.

if the application is the master (knowing all passwords), why having a password for each user?
One password for the application seems to be enough.
Your cgi, language doesn't matter, then can access the database, and calls a suexec'd script/pogram to store the files in the user's public_html directory.

The application does not know any user passwords.  Each user of the application is a valid unix user. The user is prompted for a unix password.  This ID/password collected from the user is authenticated via POP.  Having authenticated the user, the application feels confident to access the user's files.   After all it is running under the identity of the user.  With suexec you have no choice in the matter.  Your script will run under a real user's identity.

The problem is that there is no way to keep the database password secret since the script will be running a number of different identities.

> .. user is prompted for a unix password.
Is this done via POP?

Anyway, how about following idea:
  1. cgi prompts for password ina HTML form (returned via SSL)
  2. cgi authentificates against OS (/etc/passwd or whatever)
  3. cgi SUEXECs with valid user
  4. cgi (now with effective uid of user) authentificates with same password against mysql

password is now known by the (human) user only, but used in clear text in the cgi, so you need to prtect the cgi (500 etc.)

'caue MySQL has it's own authentification schema, you can connect the databse in step 2., then use this connection in step 4. (see mysql's --socket option)