Re: Obscuring sensitive data in your scripts

Update: Just to make it clearer for the AC, you can never keep scripts or config files hidden from the sysadmins, no matter what. In order to get to a password, your Perl has to be able to read it. If your Perl can, so can the sysadmin on your box. What this is supposed to do, is make it easier for the sysadmin not to read your sensitive data. I agree with the false sense of security though.

If you don't want the sysadmins (or others) reading your passwords, then write your programs to accept the passwords from the commandline or prompt for them. False security is false security, period.

Comment on Re: Obscuring sensitive data in your scripts

Replies are listed 'Best First'.
Re: Re: Obscuring sensitive data in your scripts by fokat (Deacon) on Oct 21, 2003 at 18:13 UTC
I think all the fellow monks and readers here will be more than delighted to read your explanation about how to do this when you code a web app, for instance, that runs in a server managed by a third party and which needs to connect to yet another database server. How do you propose such problem be tacked? That said, I think the post makes it very clear that the proposed piece of code is not secure. /I/ happen to think that a well understood level of obscurity is better than no obscurity at all. Leaving your passwords inside the scripts is bad, bad, bad. But obscuring them as shown, at least has the benefit of forcing the sysadmin to do something deliberate to read them, which is /very/ useful to prove intentionality should the need arise. Finally, I can only interpret your answers (perceived tone and lack of a real identity) as rudeness, which I believe does not have a place in the monastery. If you do not agree to a point, it is usually a well respected practice to elaborate your answers and provide reasonable alternatives. This also allows the comunity to identify your views with an identity, giving you a chance to see for yourself how your opinions fare among the rest of us. BTW, I just realized that I wrote AC instead of AM in the first update. Sorry about that. Best regards -lem, but some call me fokat	[reply]
Re: Re: Re: Obscuring sensitive data in your scripts by Anonymous Monk on Oct 21, 2003 at 18:22 UTC
Finally, I can only interpret your answers (perceived tone and lack of a real identity) as rudeness, which I believe does not have a place in the monastery. If you do not agree to a point, it is usually a well respected practice to elaborate your answers and provide reasonable alternatives. This also allows the comunity to identify your views with an identity, giving you a chance to see for yourself how your opinions fare among the rest of us. I think the fact that your original post sits at -11 on worst nodes of the week, and neither of the anonymous replies seems to have gone sub-zero is a reasonable indicator of how things have fared among the rest of the community.	[reply]
Re: Re: Re: Re: Obscuring sensitive data in your scripts by fokat (Deacon) on Oct 21, 2003 at 18:28 UTC
Best regards I think the fact that your original post sits at -11 on worst nodes of the week, and neither of the anonymous replies seems to have gone sub-zero is a reasonable indicator of how things have fared among the rest of the community. Good point. I'll be waiting for the answer about how to solve the problem in my earlier reply, though. -lem, but some call me fokat	[reply]