Re: PHP script to only be accessed by cron [message #175286 is a reply to message #175281] |
Wed, 31 August 2011 16:48 |
The Natural Philosoph
Messages: 993 Registered: September 2010
Karma:
|
Senior Member |
|
|
Peter H. Coffin wrote:
> On Tue, 30 Aug 2011 19:16:00 -0700 (PDT), jwcarlton wrote:
>>>> I wouldn't mind encoding the page, too, JUST in case I have a root
>>>> breach (not expected, of course, but not impossible). Since I would
>>>> only need to encode one page, once, would it be reasonable to use the
>>>> free trial of Zend Guard? Or would you guys suggest something
>>>> different?
>>> Way, way, way too complicated. Stop thinking "page", start thinking
>>> "script file".
>> I'm not sure that I follow. If a hacker gains root access, I don't
>> want them to be able to go to the cron page and obtain the encryption
>> keys in the page; otherwise, they'll be able to get all of the
>> otherwise nicely secured data.
>>
>> If not Zend Guard, what else do you recommend?
>
> If an attacker gets root access, inside the system, the attacker has the
> encryption keys, no matter where you bury them. Might as well make sure
> that nobody can get them from *outside* the system, which you can
> actually do something about.
>
well yes and no. If they are hard coded in a compiled program, at least
without serious dissassembly they can only be used as that program
intended, not generically.
In the similar way that reading /etc/passwd doesn't actually tell you
want the password was, though it gives you a great chance of a brute
force attack on it succeeding.
|
|
|