Test-suite for a password protected website
Timothy S. Nelson
wayland at smartchat.net.au
Tue Dec 30 04:58:56 CST 2003
On Mon, 29 Dec 2003, Michael Stillwell wrote:
> David Dick said:
> > Interesting problem that i have encountered.
> >
> > If i have the time, it's good to be able to automatically and
> > quickly
> > validate a system's integrity by having a automated test suite
> > (using
> > something like Test::Harness, etc). However, from a security
> > viewpoint,
> > how do people cope with username / passwords.
>
> Whenever I need to do this I put my username, password, and
> database connection string in files called USERNAME, PASSWORD
> and DATABASE. (In the form "q{name}", which can be read nicely
> with $username = do "USERNAME".)
Wouldn't the best thing to do be to run the test process as a separate
user (chroot?), and make this a file in /etc/ with only permissions for that
user? Or if you're using Linux, maybe consider using the 2.6 kernel with its
more finely-grained security controls? If I was doing it myself, I'd be doing
some reading attempting to discover why the ideas above are bad, but this time
I'll just send in the ideas and see what happens.
:)
---------------------------------------------------------------------
| Name: Tim Nelson | Because the Creator is, |
| E-mail: wayland at smartchat.net.au | I am |
---------------------------------------------------------------------
----BEGIN GEEK CODE BLOCK----
Version 3.12
GCS d+ s:- a- C++>++++$ U++ P++ L++ E- W+++ N+ w>--- V- Y+>++
PGP->++ R !tv b++ DI++++ D+ G e++>++++ h! y-
-----END GEEK CODE BLOCK-----
More information about the Melbourne-pm
mailing list