I (will) have a binary executable file. It’s only permission is user-execute. It cannot be read by user, group, or world. The owner of the file is the Apache user. I don’t want the apache user to be able to read the file, but I do want the apache user (via a PHP script) to be able to execute the file.
The binary executable file contains a password that is used to decrypt an SSH private key file, as I need the public key to hash the request body & compare against a hashed signature my server is receiving. The executable binary file will receive the request body & hashed signature, do its stuff, and simply return "yes" or "no" to indicate if the request is valid.
I know my executable binary file could still be accessed by
sudo. Preventing that would be interesting, but is beyond the scope of my question.
Would this be an effective way to protect the password (which is in the binary file that can ONLY be executed) against PHP scripts running under the apache user?
Note: I would like to open-source this setup so want it to be useable on a variety of linux servers. I’m personally on a shared-server so can’t really configure apache or the system, and that would be my target audience.