What is the more secure way to store information?

[Red Squirrel]

I'm writing a program and debating on two ways to store information (possibly including passwords).

Would files be better, or a mysql database? I'm thinking files as with mysql, there's always the chance that there's some kind of exploit that allows users to view info from others' DBs, or a backup ending up in a public location or badly chmodded, but want a second opinion.

If it would be files, they would be chmodded 700 and owned by root.

 

[Crusty]

Databases are perfectly secure, if you run it locally you just set it to listen on localhost only, and make sure your passwords are strong. If you run it on a different server, then you'll want to setup a firewall + SSL(unless they are on the local lan) so that nobody else can get access or read your data.

If you have to store passwords in the database use SHA1 instead of MD5, and use a salt for the passwords. You will not be able to recover forgotten passwords, but you can always overwrite them .

 

[degibson]

Originally posted by: Crusty
Databases are perfectly secure, if you run it locally you just set it to listen on localhost only, and make sure your passwords are strong. If you run it on a different server, then you'll want to setup a firewall + SSL(unless they are on the local lan) so that nobody else can get access or read your data.

If you have to store passwords in the database use SHA1 instead of MD5, and use a salt for the passwords. You will not be able to recover forgotten passwords, but you can always overwrite them .

Right on, Crusty!

The only thing I would add is this: It depends on what you are storing. For challenge-response stuff like passwords, a good option is a one-way hash for passwords, as Crusty suggested. However, for private data that actually needs to be retrieved, you'll want to use encryption, possibly with another hash as a protection against corruption.

Naturally, rely on as much already-existing code as possible.

 

[Red Squirrel]

Most passwords would probably be MD5 or whatever format the program in question needs.

Ex: part of my program will store the entries for the passwd file for email. So it would store it whatever format that is. I have to figure how to generate that hash code from a user, but I'm not at that point yet. I'm sure I can find the source code to htpasswd somewhere (assuming it's open source). There's a possibility it would go in plain text but I'm going to avoid that as much as I can.

Though really what are the odds of someone getting to a restricted database, are they big enough, or is it very hard/impossible to do? (assuming there is not a huge exploit in mysql, which if there is, it would get fixed)

I'm leaning more towards DB just for the fact that it will be easier to organize/modify entries.

 

[Crusty]

Why would you rewrite anything related to password hashing? If you need to call htpasswd from a web script there are ways to call system commands. If you are talking about hashing for the passwords in the database mysql has built in hashing for MD5 or SHA1. Bewarethough that MD5 is not as strong as SHA1 .

 

[Red Squirrel]

basically I'm coding a control panel so I will store all the settings for email accounts including the information required to generate the htpasswd file for dovecot authentication. When a new user is created I'll have to generate a new hash to store in my own system which is then used to generate that file. Rather do it that way so I dont have to actually parse out the files. So I have to use whatever htpasswd uses so that it works with dovecot. Just not sure how I'll go about generating that hash programmaticly but thats something I'll figure out later. At worse I can make it create a temp htpasswd file, then parse out the hash value then put in my db then delete the file. But that's kinda unefficient.

 

[Crusty]

In general you don't want to be bridging web accessible inputs to system commands directly. The safest/securest way is to use your web scripts to populate a database that contains all of your configurations and have a cron job that runs every couple of minutes that updates your system configuration files and restarts/reloads any appropriate services. With clever use of timestamps you can easily only update what needs to be updated.

Aside from that, dovecot can use mysql tables directly for it's user authentication, so can postfix(they can use the exact same tables). A really robust mail setup is to use postfix to handle incoming smtp's from the internet, then forward it through amavis-new via smtp which then uses virus scanners and spam filters and if the mail passes you send it back to postfix which then delivers it to the users mailbox. Once the mail is in the users mailbox dovecot can give the users access via IMAP or POP3. As with any decent mail server you're going to need RAM and CPU if you are doing a high volume of mail. Virus scanning takes up a lot of CPU, and spamassassin takes up a lot of RAM.

There are tons of guides out there that have small variations of the above with complete walkthroughs for all sorts of distributions. Obviously depending on your needs you'd configure it differently but the idea remains the same. So long as both your MTA(postfix) and your client access(dovecot) can use the same datastore for it's routing/authentication information there's no need to use a cron job for that information. This also gives you more extensibility if you need it. You can just setup a mysql master-master cluster to mirror the database on two different servers so you can start adding backup mail servers as needed.

 

[Brazen]

You might use sqlite for your database. It is a local file based sql "server" similar to MS Access but much much more robust and stable. It's security would be through file system permissions, just like if you stored in a flat file.

I'm not suggesting this because I think it would be any more secure, but it might make better sense for your situation.

 

[Red Squirrel]

Originally posted by: Crusty
In general you don't want to be bridging web accessible inputs to system commands directly. The safest/securest way is to use your web scripts to populate a database that contains all of your configurations and have a cron job that runs every couple of minutes that updates your system configuration files and restarts/reloads any appropriate services. With clever use of timestamps you can easily only update what needs to be updated.

Aside from that, dovecot can use mysql tables directly for it's user authentication, so can postfix(they can use the exact same tables). A really robust mail setup is to use postfix to handle incoming smtp's from the internet, then forward it through amavis-new via smtp which then uses virus scanners and spam filters and if the mail passes you send it back to postfix which then delivers it to the users mailbox. Once the mail is in the users mailbox dovecot can give the users access via IMAP or POP3. As with any decent mail server you're going to need RAM and CPU if you are doing a high volume of mail. Virus scanning takes up a lot of CPU, and spamassassin takes up a lot of RAM.

There are tons of guides out there that have small variations of the above with complete walkthroughs for all sorts of distributions. Obviously depending on your needs you'd configure it differently but the idea remains the same. So long as both your MTA(postfix) and your client access(dovecot) can use the same datastore for it's routing/authentication information there's no need to use a cron job for that information. This also gives you more extensibility if you need it. You can just setup a mysql master-master cluster to mirror the database on two different servers so you can start adding backup mail servers as needed.

Yeah thats most likely how it would work, the settings and stuff from virtual hosts, domains, DNS records, email accounts etc would reside in my own DB. Every 10 minutes or so a job would run and regenerate the program config files (or other mysql db) and do a reload, as required. I also have to consider stuff like user input sanitation etc...

I don't want nobody naming their mail account ";drop database mysql" and stuff.