Re: Password security

["Mellissa Williams" <memorabilia@hotmail.com>]

I think one of the most secure options I can think of is to make the scripts
write a new separate file including all the passwords, into a location/name
that the ringadmin provides. That way each install uses a different file
name (so people can't just try to get to sanctified.net/...../passwords).
Dunno what the Perl logistics of this are, just my 2 cents.
Another Idea I had was to encrypt the passwords (a la passwd). I also dunno
if Perl can do this easily.
Yet another idea is to have a PIN/password combo, the password is stored in
the file, the pin is not, and must be memorized.
----- Original Message -----
From: "Gunnar Hjalmarsson" <mailbox@gunnar.cc>
To: <ringlinklist@gunnar.cc>
Sent: Monday, October 09, 2000 5:40 PM
Subject: [ringlinklist] Password security
>
> A couple of Ringlink users have called my attention to a security issue
> that affects some Ringlink set-ups.
>
> The passwords which give access to the different admin menus are stored
> in the following files:
>
> admin password - in the rlconfig.pm file
> ring passwords - in respective ring.db file
> site passwords - in respective sites.db file
>
> rlconfig.pm is stored in the 'lib' directory, and ring.db and sites.db
> are stored in different subdirectories under the 'data' directory.
>
> In my own Ringlink installation, the paths to the 'lib' and 'data'
> directories are as follows:
>
> /www/htdocs/gunnar/cgi-bin/ringlink/lib
> /www/htdocs/gunnar/cgi-bin/ringlink/data
>
> Both 'lib' and 'data' are located under the 'cgi-bin' directory. Because
> of the way my server is set up, no files in or under the 'cgi-bin'
> directory can be read from the web, which means that the password info
> is protected.
>
> However, it doesn't work this way on all servers. This means that in
> some cases, the files mentioned above, which include password info, are
> readable from the web.
>
> There are two reasons for this posting:
>
> 1) To call every Ringlink user's attention to this security issue
>
> 2) To ask for suggestions for appropriate steps to protect the
>    password info
>
> These are two possible ways to prevent the files in question from being
> readable from the web:
>
> - If you are on an Apache web server, you can put files named
>   .htaccess in the 'lib' and 'data' directories. The .htaccess files
>   are simple text files which in this case should have the following
>   contents:
>
> order allow,deny
> deny from all
>
> - If you have access to directories outside the web document root,
>   you could locate the 'lib' and 'data' directories there.
>
> But there are probably servers (webhosting accounts) where none of these
> solutions are possible to apply. That's why I ask you to post
> suggestions for other possible methods.
>
> / Gunnar