WebApp Sec mailing list archives
RE: clear-text passwords in shell/perl scripts
From: "M. Shirk" <shirkdog_list () hotmail com>
Date: Mon, 28 Mar 2005 13:21:16 -0500
I would add it is important to know the risks of the system, and have plans to mitigate the risks; or just have the proper official sign off this as an allowed risk (C&A).
I know in NIST-SP800-026(Security Selft Assessment), Security Control #15.1.3 asks whether passwords are embedded in scripts. In other words, there better be a very good reason for it. :-)
Shirkdog http://www.shirkdog.us
From: "Ofer Shezaf" <Ofer.Shezaf () breach com>To: "Jeff Robertson" <Jeff.Robertson () DigitalInsight com>,"Webappsec (E-mail)" <webappsec () securityfocus com>Subject: RE: clear-text passwords in shell/perl scripts Date: Wed, 23 Mar 2005 14:58:11 -0500 Well Jeff, I think that you must combine both methods. The limitation of file permissions is the numerous privilege escalation vulnerabilities out there. You are right about encrypting passwords with keys stored on the machine (or otherwise trying to hide the password), but it does help to deter casual hackers. I like Jeremiah Grossman's article "The 80/20 Rule for Web Application Security" (http://www.webappsec.org/articles/013105-plain.html). We must always remember the total security is an unachievable goal and that we should do our best. The chances that a hacker, looking for the weakest point, will skip us are greater the more we invest in security. ~ Ofer Ofer Shezaf CTO, Breach Security Tel: +972.9.956.0036 ext.212 Cell: +972.54.443.1119 ofers () breach com http://www.breach.com > -----Original Message----- > From: Jeff Robertson [mailto:Jeff.Robertson () DigitalInsight com] > Sent: Friday, March 18, 2005 8:19 PM > To: Webappsec (E-mail) > Subject: clear-text passwords in shell/perl scripts > > Say that a perl script needs access to a database, and access to this > database requires a password. The script needs to run automatically with > no > human intervention, so it is not possible to prompt a user to enter the > password at run time. This means that the password must either be in the > script itself or in a file readable by the script. > > I have been asked what can be done to protect this password from falling > into the wrong eyes. My recommendation is to tightly control read > permissions to the script and/or the file that contains the password. Make > the file owned by a special-purpose user who only exists to run this > script, > and chmod it to 600. That sort of thing. > > It has been suggested to encrypt the password. Since the script needs to > get > the clear text of the passwords in order to use them, this will need to be > symmetric encryption and the script will need to have the key available, > presumably stored in yet another file. As there would be no way to keep > the > key from being stolen other than to use the file permissions that were > being > relied on previously, you've just increased the complexity of the system > without actually making it any more secure. This is bad. You'd be better > off > sticking with the simpler solution, since the security is the same either > way. > > Can anyone either refute or provide further points in support of my stance > on this? > > Jeff Robertson > Manager of Web Application Security > Digital Insight
_________________________________________________________________On the road to retirement? Check out MSN Life Events for advice on how to get there! http://lifeevents.msn.com/category.aspx?cid=Retirement
Current thread:
- clear-text passwords in shell/perl scripts Jeff Robertson (Mar 20)
- Re: clear-text passwords in shell/perl scripts Joseph Miller (Mar 22)
- Re: clear-text passwords in shell/perl scripts Richard Moore (Mar 22)
- Re: clear-text passwords in shell/perl scripts Liran Cohen (Mar 22)
- Re: clear-text passwords in shell/perl scripts Paul Johnston (Mar 23)
- <Possible follow-ups>
- RE: clear-text passwords in shell/perl scripts Griffiths, Ian (Mar 22)
- RE: clear-text passwords in shell/perl scripts Ofer Shezaf (Mar 23)
- RE: clear-text passwords in shell/perl scripts M. Shirk (Mar 29)
- RE: clear-text passwords in shell/perl scripts Scovetta, Michael V (Mar 29)