Security Risk – How Dangerous is Storing User Passwords in Plaintext in CGI Script

Securityusersweb server

I am setting up a MySQL database and am providing a web interface for it. Now, the DB is extremely simple and the interface just runs certain SELECT statements.
I have created a user for my script to use when connecting with these commands:

CREATE USER 'foo' IDENTIFIED BY PASSWORD 'bar';
GRANT SELECT ON dbname.* TO foo

I then have these lines in my Perl script:

my $user = "foo";
my $pw = "bar";

NOTES:

  • The data on the database are completely public and users can use/redistribute them at will. I have no interest in blocking anyone from accessing it, it is to provide a dataset to the scientific community.
  • The data are static, there is no need for anyone to be able to modify them in any way and the only user who has the right to is root (the only other user on the system).

So, my question is, how dangerous is this? Given that the user only has SELECT rights, what bad things can happen with this, clearly insecure, setup? Is there a better way of allowing access to my script bearing in mind the two notes above?

Best Answer

You should always put application passwords in O/S Environment Variables (envvars).

  • Can only be read by the assigned O/S user (or root)
  • You won't accidentally screw up file permissions (if putting passwords in files)
  • You won't accidentally check passwords in to source control (this is particularly important in open source)
  • Survives reboots
  • envvars are easy to read with most languages
  • You should follow the principle of least privilege and run say your web server as its own user.

http://perldoc.perl.org/Env.html

Related Question