Test-suite for a password protected website

Timothy S. Nelson wayland at smartchat.net.au
Tue Dec 30 04:58:56 CST 2003

On Mon, 29 Dec 2003, Michael Stillwell wrote:

> David Dick said:
> > Interesting problem that i have encountered.
> >
> > If i have the time, it's good to be able to automatically and
> > quickly
> > validate a system's integrity by having a automated test suite
> > (using
> > something like Test::Harness, etc).  However, from a security
> > viewpoint,
> > how do people cope with username / passwords.
> Whenever I need to do this I put my username, password, and
> database connection string in files called USERNAME, PASSWORD
> and DATABASE.  (In the form "q{name}", which can be read nicely
> with $username = do "USERNAME".)

	Wouldn't the best thing to do be to run the test process as a separate 
user (chroot?), and make this a file in /etc/ with only permissions for that 
user?  Or if you're using Linux, maybe consider using the 2.6 kernel with its 
more finely-grained security controls?  If I was doing it myself, I'd be doing 
some reading attempting to discover why the ideas above are bad, but this time 
I'll just send in the ideas and see what happens.  


| Name: Tim Nelson                 | Because the Creator is,        |
| E-mail: wayland at smartchat.net.au | I am                           |

Version 3.12
GCS d+ s:- a- C++>++++$ U++ P++ L++ E- W+++ N+ w>--- V- Y+>++ 
PGP->++ R !tv b++ DI++++ D+ G e++>++++ h! y-

More information about the Melbourne-pm mailing list