Securing Passwords in a Multi-Dev nginx setup

Question

We have a Ubuntu12.04+PHP+nginx setup on our servers. Our developers have access to both /usr/lib/php5/ and /var/www/ folders. We work on a lot of projects and at given time have 50-100 different apps/modules each with db active.

We would like to come up with a mechanism to secure our DB passwords with the following considerations:

• The sysadmins create the password and register it somewhere (a file, or a sqlite db or some such)
• The apps provide a key indicating which DB and what permissions level they want and this module returns an object that contains everything needed for the connection. Something like "user_manager.client1.ro", "user_manager.client1.rw".
• The mechanism should provide the specific password to the app and hence accessible by 'www-data', but all the other passwords can't be seen unless their keys are known.

We have managed to get a prototype going for this, but the central password-providing module runs in www-data space and hence the file/sqlite can always be accessed by any other file in /var/www/ or /usr/lib/php5 and hence all passwords can be compromised.

Is there a way to set things up such that the password-providing module runs at root privileges and the app request the passwords from this? I know we can build a whole new service for this, but it seems too much to build and maintain (specially because this service becomes our single point of failure.)

Any suggestions?

Answer 1

Using permissions, you could do something like:

1) give one developer a user

2) chown every folder under /var/www/ to user www-data, and a specific group for that site, something like: /var/www/site-a www-data group-a /var/www/site-b www-data group-b etc.

3) chmod every directory (and all subdirectory and files with -R) to 770

4) add each developer to every group for which he is actually developing.