WebApp Sec mailing list archives
Antwort: Re: clear-text passwords in shell/perl scripts
From: Carsten Kuckuk <ck () rib de>
Date: Wed, 23 Mar 2005 09:58:31 +0100
Mabe you can put the database in charge. You'd rewrite your script as a trigger on a dummy table and have the trigger do all the critical stuff. Oracle has a complete JVM inside the database, and Microsoft a CLR. So your cron script would log into the database using a locked down account that can only, access one table. This table would have a trigger connected to it that would then start the real, critical work. Depending on the options that the database trigger programming language offers you, you could either put the whole script inside the trigger, or have the trigger create the data that the real script needs to perform its duty, and then call the real script from within the database. This way, the user/password pair that a hacker could find, would only allow the hacker to access a worthless table and trigger the trigger, but nothing else. Carsten Liran Cohen <theog () artnet co il> 21.03.2005 13:43 An: Jeff Robertson <Jeff.Robertson () DigitalInsight com> Kopie: "Webappsec (E-mail)" <webappsec () securityfocus com> Thema: Re: clear-text passwords in shell/perl scripts Hi Jeff, I don't really know what database u'r using , but maybe using PKI? TheOg Jeff Robertson wrote:
Say that a perl script needs access to a database, and access to this database requires a password. The script needs to run automatically with
no
human intervention, so it is not possible to prompt a user to enter the password at run time. This means that the password must either be in the script itself or in a file readable by the script. I have been asked what can be done to protect this password from falling into the wrong eyes. My recommendation is to tightly control read permissions to the script and/or the file that contains the password.
Make
the file owned by a special-purpose user who only exists to run this
script,
and chmod it to 600. That sort of thing. It has been suggested to encrypt the password. Since the script needs to
get
the clear text of the passwords in order to use them, this will need to
be
symmetric encryption and the script will need to have the key available, presumably stored in yet another file. As there would be no way to keep
the
key from being stolen other than to use the file permissions that were
being
relied on previously, you've just increased the complexity of the system without actually making it any more secure. This is bad. You'd be better
off
sticking with the simpler solution, since the security is the same either way. Can anyone either refute or provide further points in support of my
stance
on this? Jeff Robertson Manager of Web Application Security Digital Insight
Current thread:
- Antwort: Re: clear-text passwords in shell/perl scripts Carsten Kuckuk (Mar 23)