WebApp Sec mailing list archives
Re: clear-text passwords in shell/perl scripts
From: Paul Johnston <paul () westpoint ltd uk>
Date: Wed, 23 Mar 2005 09:45:07 +0000
Hi,This is a classic problem. One thing I've noticed is that storing the password in a separate file is definitely better than in the source code, keeping the secret stuff in one place. Aside from that, I can think of a couple of potential approaches, although I've not tried either:
1) Use an authentication mode that is based on the OS users that calls the database, not passwords. Most databases do support such a mode, although only for local connections.
2) I believe some operating systems support a per-user encrypted area, based on the user's password. This would at least protect the password on the disk, although manual intervention is required on reboot.
Regards, Paul Jeff Robertson wrote:
Say that a perl script needs access to a database, and access to this database requires a password. The script needs to run automatically with no human intervention, so it is not possible to prompt a user to enter the password at run time. This means that the password must either be in the script itself or in a file readable by the script. I have been asked what can be done to protect this password from falling into the wrong eyes. My recommendation is to tightly control read permissions to the script and/or the file that contains the password. Make the file owned by a special-purpose user who only exists to run this script, and chmod it to 600. That sort of thing. It has been suggested to encrypt the password. Since the script needs to get the clear text of the passwords in order to use them, this will need to be symmetric encryption and the script will need to have the key available, presumably stored in yet another file. As there would be no way to keep the key from being stolen other than to use the file permissions that were being relied on previously, you've just increased the complexity of the system without actually making it any more secure. This is bad. You'd be better off sticking with the simpler solution, since the security is the same either way. Can anyone either refute or provide further points in support of my stance on this? Jeff Robertson Manager of Web Application Security Digital Insight
-- Paul Johnston, GSEC Internet Security Specialist Westpoint Limited Albion Wharf, 19 Albion Street, Manchester, M1 5LN England Tel: +44 (0)161 237 1028 Fax: +44 (0)161 237 1031 email: paul () westpoint ltd uk web: www.westpoint.ltd.uk
Current thread:
- clear-text passwords in shell/perl scripts Jeff Robertson (Mar 20)
- Re: clear-text passwords in shell/perl scripts Joseph Miller (Mar 22)
- Re: clear-text passwords in shell/perl scripts Richard Moore (Mar 22)
- Re: clear-text passwords in shell/perl scripts Liran Cohen (Mar 22)
- Re: clear-text passwords in shell/perl scripts Paul Johnston (Mar 23)
- <Possible follow-ups>
- RE: clear-text passwords in shell/perl scripts Griffiths, Ian (Mar 22)
- RE: clear-text passwords in shell/perl scripts Ofer Shezaf (Mar 23)
- RE: clear-text passwords in shell/perl scripts M. Shirk (Mar 29)
- RE: clear-text passwords in shell/perl scripts Scovetta, Michael V (Mar 29)