[Discuss] Passwords in Source Code?? Or, How to secure interprocess communications?

[Eric Chadbourne]

FWIW, in PHP you often put the PostgreSQL user credentials in the code.  Usually a config file somewhere.  You can also place sensitive files outside of your web root with proper permissions.  If all running on a local box I don’t open the ports or set the db config to allow other connections.  It seems reasonably secure.

I am curious as to what others do.

The PostgreSQL docs have a ton of great info.

- Eric



> On Jan 31, 2015, at 10:28 AM, Kent Borg <kentborg at borg.org> wrote:
> 
> Related to my previous database questions...
> 
> Normally I think of a program as trusting itself, having some integrity, maybe not even having gaping bugs or security holes. But what if I the program I am writing is talking to another, such as Postgres? Postgres has the ability to do passwords, so do I just put a password in my program source? Set Postgres to only accept local connections, and hope for the best? Seems wrong. Do I try to put both in a chroot or something?
> 
> My program already has to hope that its program files are secured by the hosting OS, but at least if it isn't opening up a network port it stays a rather contained problem.
> 
> (I want multiple programs talking to the database, so no, I can't just link in Sqlite.)
> 
> Seems a general problem of securing interprocess communications.
> 
> Thoughts?
> 
> Thanks,
> 
> -kb, the Kent who knows that people Google for passwords, search github for passwords, and get a lot of juicy results.
> _______________________________________________
> Discuss mailing list
> Discuss at blu.org
> http://lists.blu.org/mailman/listinfo/discuss