Hide config.php Database connection

Hi Gerardo,

I'm not sure would this solution help you. Since you are trying to just hide the config settings it could work.

You can keep your password in another place where people wouldn't have access. All you need to give apache to access this file but anybody else.

Like;

/my/pass/path/passwords

db_user_name=myDBUserName
db_password=topSecretDBPa55w0rd

And considering your sugar is located

/var/www/sugarcrm/

Then you would create a helper that reads the password from '/my/pass/path/passwords' and puts into your config_override.php like;

Consider your helper pwdHelper;

function pwdHelper(key){
   // read the file line by line, 
   // implode by = 
   // left handside key, right handside is value
   return value;
}
$sugar_config['dbconfig']['db_user_name'] = pwdHelper('db_user_name');
$sugar_config['dbconfig']['db_password'] = pwdHelper('db_password');

This approach usually works perfectly if you have multiple environments like sandboxes, development and production instance. But maybe this approach could work for you as well.

Note: This is not a security approach. It's just a way of handling the passwords. 

Best Regards
Tevfik Tümer
Developer Support Engineer

Hi Tevfik Tümer

I like the idea, but here They really want me to use CyberArk since it's the way they handle all passwords for DB connections.

I might be able to use your idea because the CyberArk connection info can be expose, then in the pwdHelper I can add the functionality to go and get the connection data to CyberArk.

function pwdHelper(){
   //Go get data to CyberArk
   return arrayData;
}
$sugar_config['dbconfig'] = pwdHelper();

I think this way may be the right way, what do you think?

Thank you very much.

Cheers.

Hi Gerardo Garcia Lima

If that answer really helped you.. mark it has Answer Correct

Regards

Syed

How would this solution handle adjustments to the `config.php` and `config_override.php` due to changes in the Sugar Configuration via the UI or an upgrade (e.g. going to Admin -> System Settings and adjusting the logging level)? Would it correctly re-create the `function` block and reference to it?

Hi Matthew,

I understand your concern and point of view. I personally came up with this idea without testing it. The function that is included through config_override.php can be wiped out in any config changes or upgrade. But you can add that function to another location under custom/include. That way you could make it work both conditions. I again did not test it but this way I believe would work.

But as this kind of solution, simplest and fastest way would be replaced with the passwords and proceed the upgrade. [possibly you can change the password every after the upgrade that would also increase your security]. 

Best Regards

Tevfik Tümer

Developer Support Engineer

Hi Matthew,

I understand your concern and point of view. I personally came up with this idea without testing it. The function that is included through config_override.php can be wiped out in any config changes or upgrade. But you can add that function to another location under custom/include. That way you could make it work both conditions. I again did not test it but this way I believe would work.

But as this kind of solution, simplest and fastest way would be replaced with the passwords and proceed the upgrade. [possibly you can change the password every after the upgrade that would also increase your security]. 

Best Regards

Tevfik Tümer

Developer Support Engineer