• caglararli@hotmail.com
  • 05386281520

Is it safe to store database credentials as plain text in the configuration file?

Çağlar Arlı      -    24 Views
28Oca

Is it safe to store database credentials as plain text in the configuration file?

Some services like ejabberd, nginx for authenticating using a database, and dovecot requires providing the database password as plain text in the configuration file. Is it safe to store MariaDB password as plain text provided that processes are isolated in chroots or for instance containers, mandatory access control is present on the system and permissions on the configuration files are properly set?

I need to protect the database user password from unauthorized processes running on the system in case of any vulnerabilities in the services.

I am the only user of the Debian 12 server which I use mostly for stuff like hosting my e-mail, PHP code in the Gitea repository. This server has regularly applied security updates.

Example configuration file:

...
#   You can connect to UNIX sockets by using host: host=/var/run/mysql.sock                                                                                                               
#   Note that currently you can't use spaces in parameters.                                                                                                                               
#                                                                                                                                                                                         
# sqlite:                                                                                                                                                                                 
#   The path to the database file.                                                                                                                                                        
#                                                                                                                                                                                         
# Examples:                                                                                                                                                                               
#   connect = host=192.168.1.1 dbname=users                                                                                                                                               
#   connect = host=sql.example.com dbname=virtual user=virtual password=blarg                                                                                                             
#   connect = /etc/dovecot/authdb.sqlite                                                                                                                                                  
#                                                                                                                                                                                         
connect = host=/var/run/postgresql/ dbname=mail user=mailreader                                                                                                                           
                                                                                                                                                                                          
# Default password scheme.                                                                                                                                                                
#                                                                                                                                                                                         
# List of supported schemes is in                                                                                                                                                         
# http://wiki2.dovecot.org/Authentication/PasswordSchemes                                                                                                                                 
#                                                                                                                                                                                         
default_pass_scheme = SHA512                                                                                                                                                              
                                                                                                                                                                                          
# passdb query to retrieve the password. It can return fields:                                                                                                                            
#   password - The user's password. This field must be returned.                                                                                                                          
#   user - user@domain from the database. Needed with case-insensitive lookups.
#   username and domain - An alternative way to represent the "user" field.
#
# The "user" field is often necessary with case-insensitive lookups to avoid
# e.g. "name" and "nAme" logins creating two different mail directories. If
# your user and domain names are in separate fields, you can return "username"
# and "domain" fields instead of "user".
#
# The query can also return other fields which have a special meaning, see
# http://wiki2.dovecot.org/PasswordDatabase/ExtraFields
#
# Commonly used available substitutions (see http://wiki2.dovecot.org/Variables
# for full list):
#   %u = entire user@domain
#   %n = user part of user@domain
#   %d = domain part of user@domain
...

Son Yazılar

Son Yorumlar