什么是最好的方法来保护数据库连接字符串? [英] What's best way to secure a database connection string?
问题描述
我在PHP中编写了一组数据库驱动的应用程序。这些应用程序将作为自己的用户在Linux服务器上运行。其他用户有时可能在系统上,但具有非常受控的访问。其他服务器他们根本不能访问。我还将向需要编写Perl脚本的开发人员公开一个限制存储过程API,使用DBI和一组我写的函数访问数据库。
I am writing a set of database-driven applications in PHP. These applications will run on a Linux server as its own user. Other users will likely be on the system at times, but have very controlled access. Other servers they will not have access to at all. I will also expose a limit stored procedure API to developers who need to write Perl scripts that access the database using a DBI and a set of functions I write.
我的问题是什么最好的方式来保护在其中有连接字符串的配置文件?
My question is what the best way to secure the config files that have connection strings in them?
是否有不同的用户对文件拥有[4+] 00权限?我应该加密他们吗?这似乎只是将问题转移到别处,所以我担心在哪里存储加密密钥。我意识到Perl开发人员将需要有一个自己的连接字符串,因为他们将只有执行数据库权限。
Is a different user with [4+]00 permissions on the file sufficient? Should I encrypt them? That seems to just shift the problem elsewhere so that I worry about where to store an encryption key. I realize the Perl developers will need to have a connection string of their own as they will only have execute database permissions.
推荐答案
如果机器确实是以传统的Unix时代管理的,其中J.随机用户不会到根所有的时间,我会说,文件系统权限是你最好的赌注。如果有人获得未经授权的root访问权限,则没有任何数量的加密安全性可以保护连接字符串。
If the machine really is being administered in the traditional Unix fashion, where J. Random user isn't off su-ing to root all the time, I'd say that filesystem permissions are your best bet. If someone gets unauthorized root access, no amount of encryption silliness is going to "secure" the connection string.
我将标记文件w /
(Bravo意识到加密连接字符串不会给你买任何东西,在这个例子中。通过阴暗是反作用的。)
(Bravo for realizing that encrypting the connection string doesn't buy you anything, in this example. Security through obscurity is counter-productive.)
这篇关于什么是最好的方法来保护数据库连接字符串?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
