[kirab]

I think they couldn’t read /etc/shadow, so it’s not that bad at first. But then they could surely access some configuration file of the application itself, probably containing DB creds and of course more information which helps to find more vulns.

[thrownaway2424]

It's shocking to me that baking "db creds" into a binary or configuration file is still so common that anyone would expect it to be true on a randomly selected server. Is this still the industry standard?

[dreamdu5t]

How else would you do it? If you use a configuration "service" the credentials to access the service must be baked in.

[thrownaway2424]

Well, I can think of a couple of ways off the top of my head, that I'm sure will be shouted down for being simplistic:

1) ident protocol, or something similar. On the internet, it's a disaster, but for machines all owned by the same organization, it makes sense.

2) ssl client certificate. this can be hardened in various ways like having the certs expire every ten minutes etc.

[enneff]

That's certainly not how we do it at Google.

[fennecfoxen]

Sadly but truly!