Securing files that contain database passwords
Often content management systems use a configuration file containing the bare password and username which it uses to connect the database and in order for them to be able to read them permissions on such files must be set to readable by everyone.
I suppose in cases where the server has only SSH accounts belonging to the admin this isn't much of a problem. The actual configuration files are scripts which, of course, don't output the password, so it can't be accessed via HTTP. However when you have a multiple of SSH accounts all of them can basically view the file directly with a text editor.
I've made some parent directories to the directories in which such files reside unreadable, but those are only roadblocks. It means that if the config file with sensitive information is in /var/www/site.com/config/database.php and I make site.com unreadable it just means nobody will be able to get to the site.com directory and therefore view its hierarchy. In case someone knows the actual path or just makes a correct guess it doesn't solve the problem.
Now, I don't usually give SSH access to people who I don't trust. I don't suppose anyone would be adamant to go and pick through the system trying to find my passwords. But still, if something can be more secure I suppose it might be worth pursuing. You never know what could happen. No matter how small the odds, someone could, for instance, be logged in to my server from a computer in presence of other people (friends or whatever) who could, when he's not watching (say he goes away for a bit and forgets to logout) enter the server and start digging. You can't assume none of the friends aren't crackers.
OK,that scenario seems very unlikely, but still..
So I'm wondering what are the ways to secure these files? I've heard about suphp, but it apparently works only with apache and I use lighttpd server. For lighttpd there is also execwrap, but its site seems to be down and there is no debian package in repositories.
I might try this guide, but I'm wondering if there is a simpler way to do it. suEXEC is also an apache package and that guide therefore includes quite a bit of trickery..