Gossamer Forum
(Advanced Search)
for
Home : Products : DBMan : Installation :

"/cgi-bin" is symlinked how to prevent unauthorized access

Sep 19, 2010, 8:40 PM
lmiklosy
Novice (7 posts)
Sep 19, 2010, 8:40 PM
Post #1 of 5
Views: 15600
Shortcut
Quote Reply
"/cgi-bin" is symlinked how to prevent unauthorized access
Dear DBMan support,

I have a version of DBMan installed in a public directory and running with the user-friendly mod and many form modifications inserted by hand, renamed the default files to specific names. All is well with execution, multiple userid's and passwords. The goal is to gather membership information from new users who log-in with a guest user name and guess password.

Now I wish to secure the password file, cfg, and authorization files from unauthorized access or copy. My ISP host will not allow building DBMan in their cgi-bin directory and naming my own cgi-bin is disallowed because cgi-bin is symlinked to the system directory of same name. README says I could hide the sensitive files (like password file) from unauthorized access by renaming ( security through obfuscation). Here are some questions.

1) I'm told my ISP system /cgi-bin directory has 755 permissions, so what is the use of concealing a password file in a /cgi-bin directory with 755 permissions?
2) Using the obfuscation approach I could locate all the script files in a directory seperate from db.cgi, rename the sensitive files and hope for the best?
3) How can my DBMan program allow public access log-in and still prevent the database from unauthorized copy?

I have not yet installed the change_password() mod with this version, want to get the baseline demo working first. Thanks for guidance. -Les
Sep 21, 2010, 10:16 AM
LoisC
Veteran / Moderator (3034 posts)
LoisC's avatar
Sep 21, 2010, 10:16 AM
Post #2 of 5
Views: 14740
Shortcut
Quote Reply
Re: [lmiklosy] "/cgi-bin" is symlinked how to prevent unauthorized access In reply to
Some suggestions:

Do rename your files to be different than the default names. Add an index.htm file into the directory where your files are located so that a directory listing will not display all your files.

The passwords are encrypted so even if someone was to copy that file it would be useless as far as being able to retrieve the passwords.

To answer your question:
3) How can my DBMan program allow public access log-in and still prevent the database from unauthorized copy?

Why would you think that people could copy the database just because they have guest access? Why not have people who are going to enter records sign-up for an account to do so? You can then still let the public view what you choose to have viewed and only allow registered users to add records. By registering the users can then modify their own records which would not be possible with everyone using the same guest username and password.

Just some ideas to consider :)

Unoffical DBMan FAQ

http://creativecomputingweb.com/dbman/index.shtml/
Sep 21, 2010, 1:02 PM
lmiklosy
Novice (7 posts)
Sep 21, 2010, 1:02 PM
Post #3 of 5
Views: 14744
Shortcut
Quote Reply
Re: [LoisC] "/cgi-bin" is symlinked how to prevent unauthorized access In reply to
LouisC, very kind of you to reply and give assistance to a novice. I'm reading the Unoffical DBMan FAQ which is very helpful. Your reply leads me to another question. Yes the password file is encrypted but the database file is not. Anybody who can list the directory can also read the ascii database. Took your suggestions and re-directed the server with 'DirectoryIndex' in .htaccess to execute the script instead of doing a directory listing, that works very well. But the db file still has 666 permissions, so if somebody knows it's name, then it is viewable. Is there another simple way to secure the database from view? Encryption and restricted access using .htaccess come to mind. I read in the forum that developers were using the same password file for database access from the script as from outside the script using .htaccess permissions. That seems like a very cumbersome way to 'hide' the database from the rest of the world. If the script can grant a user access to the database, must the same user also satisfy the .htaccess permissions? -Les
Sep 22, 2010, 4:25 PM
LoisC
Veteran / Moderator (3034 posts)
LoisC's avatar
Sep 22, 2010, 4:25 PM
Post #4 of 5
Views: 14707
Shortcut
Quote Reply
Re: [lmiklosy] "/cgi-bin" is symlinked how to prevent unauthorized access In reply to
You can always put the .db file into another directory and be sure to add an index.htm file into that directory.

I'm not sure there is any way to really have your database completely secure. There have been various threads in the forum on this issue and any possible suggestions to a solution I'm sure can be found within the "admin" category of the DBMan FAQ.

If you information is really sensitive you can be creative and use multiple databases to have your information entered into or create a relational database where just a few fields are in the main database and and the sensitive information is within the second ... of which the name of that database would be unknown to the users.

Sorry I couldn't be of any more help.

Unoffical DBMan FAQ

http://creativecomputingweb.com/dbman/index.shtml/
Sep 22, 2010, 7:38 PM
lmiklosy
Novice (7 posts)
Sep 22, 2010, 7:38 PM
Post #5 of 5
Views: 14665
Shortcut
Quote Reply
Re: [LoisC] "/cgi-bin" is symlinked how to prevent unauthorized access In reply to
OK I'll try put into another directory as well and direct the file pointers there. Thanks for all the help, great forum!