* Ken Tanzer (ken.tanzer@gmail.com) wrote:
> OK one more question on this thread. It occurs to me that for the web
> app, DB username and password is read from a configuration file. (I
> understand this to be a common method for web applications.) But since
> apache needs to read the file, then all users can read each others'
> passwords. Arrghh. I'm just wondering how web hosters typically deal
> with this issue (or is your info for, say, Wordpress exposed to other
> users if they know where to look for it?) Sorry if this is too
> off-topic...
Have the username/password for each user site passed through
environment variables which are in the apache config file for the
virtual site they have access to the web root of. Then deny access to
the apache config files (the users don't really need access to it
anyway, and neither does www-data; apache will read them as root during
startup).
Thanks,
Stephen