Clear text password in config.php - Can it be encrypted in 3.11

Clear text password in config.php - Can it be encrypted in 3.11

by Jayamurugan Ravichandran -
Number of replies: 9

Clear text password in config.php.

We have a security threat that putting clear text db user name and password in config.php. 

Please provide your advise, whether this can be encrypted or any other methods to make it secure.

I am currently using Moodle 3.11.3 version.

Average of ratings: -
In reply to Jayamurugan Ravichandran

Re: Clear text password in config.php - Can it be encrypted in 3.11

by Marcus Green -
Picture of Core developers Picture of Particularly helpful Moodlers Picture of Plugin developers Picture of Testers
"Please provide your advise, whether this can be encrypted or any other methods to make it secure."
Where would the key to decrypt it go?
Average of ratings: -
In reply to Marcus Green

Re: Clear text password in config.php - Can it be encrypted in 3.11

by Jayamurugan Ravichandran -
Hi Marcus,
I am trying to see if the Moodle can encrypt db user /password using a key and we put encrypted password in config.php. During Moodle App to DB connection the password internally gets decrypted.
I would like to understand such feature exist in Moodle to secure from clean text or does Moodle provide any other feature.
Please advise.
Average of ratings: -
In reply to Jayamurugan Ravichandran

Re: Clear text password in config.php - Can it be encrypted in 3.11

by Marcus Green -
Picture of Core developers Picture of Particularly helpful Moodlers Picture of Plugin developers Picture of Testers
Moodle does not provide such a feature. Do any other comparable web apps provide such a feature, I ask because I am not sure how it would or could work. Just about every connection to Moodle requires a database connection. If the file were encrypted the credentials would need to come from somewhere and I am not sure how they could be stored for all users without them being plain text at some point.

I have been following Moodle security issues for a very long time, and I am not aware of the plain text of the config file having been a source of issues in itself.
Average of ratings: -
In reply to Jayamurugan Ravichandran

Re: Clear text password in config.php - Can it be encrypted in 3.11

by Andrew Lyons -
Picture of Core developers Picture of Moodle HQ Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers Picture of Testers
Hi Jayamurugan,

This is not currently available as a core feature, though you could probably do so relatively easily on the infrastructure side. That said it would be a bad idea and will cause you no end of headaches. Plus it's largely pointless. Using an encrypted connection between Moodle and the DB server would be a far more appropriate option.

Can we take a step back and ask what your purpose for doing this is?

Essentially you want to take a plain-text password, encrypt it, then put the encrypted version into the config.php file and require a key to unlock it.

The main question here is: how do you intend to provide that key to perform the decryption?

From a webserver perspective you could probably set the key in the webserver configuration (i.e. the Apahce SetEnv directive), which you could then use within php to decrypt the hash into a plaintext password that you pass into the Moodle configuration. However the chances are that your web server is also the same server hosting PHP so you likely have the hash and key on the same server rendering the security essentially useless (you could argue that this provides security through obscurity but it's still useless - security through obscurity is just a way to give you warm fuzzy feelings while you're standing in the rain).

From a CLI perspective (i.e. when running Moodle cron jobs) you'd have to find a way to provide the encryption key to the CLI without user interaction (unless you plan to run cron manually every minute from the CLI and physically type the password in). The chances are you'd set it as an environment variable and pass it in that way - and again you hit the same issue as on the web server.
Average of ratings: Useful (3)
In reply to Andrew Lyons

Re: Clear text password in config.php - Can it be encrypted in 3.11

by Jayamurugan Ravichandran -
Sorry for the late reply Andrew and Marcus.

Thanks for the detailed inputs.

From the security perspective, any one who can access the config.php can take advantage of db user and password. This is harmful.

I am looking for the feasibility securing this clear text from strangers.

Does Moodle has the ability to secure this file in anyway?

If not I will have to plan securing the file accessibility by others or so.

Kindly advise. Thanks.
Average of ratings: -
In reply to Jayamurugan Ravichandran

Re: Clear text password in config.php - Can it be encrypted in 3.11

by Ken Task -
Picture of Particularly helpful Moodlers

My 2 cents ...

config.php has nothing but variable definitions ... cannot be rendered by a browser.  The only time it can be acquired is in the case where you PHP is broke. 

Then one could acquire the file via wget.  But, even then, there are protections in MySQL itself - host/user/password.  if DB server is localhost and only localhost - then that uses a socket connection ... not typical TCP/IP MySQL Port access.

That means a hacker would have to gain access to server to be able to use those credentials.   If they can do that ... you've got more trouble than you know.

Permissions/ownerships to config.php need only read ... not write.  File can be owned by root but must be viewable to all for moodle to function.

Obviously one would not/should not use DB credentials that are also root user for the operating system ... that would be dumb! ;)

And a question ... when anyone accesses your moodle, do they see anything at all or are they forced to login to see anything.

Even if you do that ... there is at the very least a session cookie.

Understand your concern, but there is such a thing as being overly concerned. smile

Like I said - my 2 cents.

'SoS', Ken


Average of ratings: -
In reply to Jayamurugan Ravichandran

Re: Clear text password in config.php - Can it be encrypted in 3.11

by Andrew Lyons -
Picture of Core developers Picture of Moodle HQ Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers Picture of Testers
If someone is able to read arbitrary files on your server then it's already game over. These files should only be readable by the web server user, and not arbitary users already.

I've already explained the issues with trying to 'secure' the password - if you wish to ignore this advice then good luck.

Personally I would spend my efforts actually ensuring the security of my server in more appropriate ways first.
Average of ratings: Useful (3)
In reply to Andrew Lyons

Re: Clear text password in config.php - Can it be encrypted in 3.11

by Jayamurugan Ravichandran -
Thanks Andrew and Ken for your inputs.

I have found a simple alternate solution to avoid showing up clear text password in config.php.

Step1: Create a python or php script that generates encrypted key and use that key to encrypt the clear text DB password.
Step2: Use another python script , that can be called to decrypt the encrypted password.
Step3: In config.php, call the script (in step 2) and save the output in a variable.
Step4: Pass the variable to dbpass config.
Step5: Restart apache services and it is working as expected.

By this way the password is not clear text in the config.php and secured as well.

Solution:
In config.php,
$DECRYPTPASS = escapeshellcmd('/var/PROJECT/decrypt.py');
$EXECSHELL = shell_exec($DECRYPTPASS);

// The below line to remove new line at the end of password fetched above
$PARSEDATA = preg_replace('~[\r\n]+~', '', $EXECSHELL);

Now we made it secured,
$CFG->dbpass = $PARSEDATA;

Hope it helps.
Average of ratings: -
In reply to Jayamurugan Ravichandran

Re: Clear text password in config.php - Can it be encrypted in 3.11

by Paul Holden -
Picture of Core developers Picture of Moodle HQ Picture of Moodle Workplace team Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers Picture of Testers
Assuming the attack vector you are trying to address is "user has access to my server file system and/or arbitrary files within it" - what exactly is stopping said user from just executing your python script themselves, in order to obtain your cleartext password?
Average of ratings: Useful (2)