xorl has asked for the wisdom of the Perl Monks concerning the following question:

Someone once told me:
If you put passwords in scripts, set your permissions appropriately or use a .rc file of some kind.
Of course they didn't tell me what the correct permissions are for the script or the .rc file are. Can y'all enlighten me?

Thanks

Replies are listed 'Best First'.
Re: Passwords in scripts
by CountZero (Bishop) on Mar 23, 2004 at 20:36 UTC
    The script should only be readable by those who need to use it and not by anyone else. For example, if the script is part of a dynamic website, it should only be accessible by the webserver program and not by anyone happening to pass by the file-system.

    CountZero

    "If you have four groups working on a compiler, you'll get a 4-pass compiler." - Conway's Law

[reply]
      That would have been my guess. Thanks!
[reply]
Re: Passwords in scripts
by flyingmoose (Priest) on Mar 23, 2004 at 20:40 UTC
    Well, first off, using OS based authentication (something like Authen::PAM for Linux) or other mechanisms are much safer idea for restricting access to resources by passwords in scripts. PAM can, for instance, allow you to validate connections based on either who you are running as or possibly what username/password you enter. Lots of other similar tools exist, just search CPAN for Authen. Some monks pointed me this way earlier, and there is a lot of great stuff out there.

    If you want to restrict access to a file to keep folks that are not in your group from reading it, do a "man chmod" at the Unix prompt and much of this (but not all) will be explained. "Unix in a Nutshell" or "Unix power tools" (substitute Linux for Unix if you like), or some other sysadmin reference can probably go over permission based security better than I can here. In general, you want read/write/execute access only for owner, or only for owner and group, something like 0770 or 0700 is probably what you want. In the case of an rc file 0660 or 0600.

[reply]
Re: Passwords in scripts
by waswas-fng (Curate) on Mar 23, 2004 at 20:39 UTC
    chmod 0700 <file> would give the ower access to read-write-exec and everone else (group and other) no access. Also on many current enterprise level unix oses you also have to worry about ACL settings which can take or grant access at a different level then chmod. For instance on solaris look here...


    -Waswas
[reply]
      Good point! :-) ACL must be enabled in the filesystem as well at the kernel level (Solaris has this enabled by default now). GNU/Linux must be set up manually on most distributions.
[reply]
Re: Passwords in scripts
by jfroebe (Parson) on Mar 23, 2004 at 21:51 UTC
    Well, if you are going to store a password in a shell script (not a good idea IMHO), then make sure the people that need to use this file only have execute permission (read permission is not necessary).

    if possible, please use a hash of the password (crypt at a bare minimum)

    As flyingmoose said, Authen::PAM or similar can also be used.

[reply]
      if possible, please use a hash of the password (crypt at a bare minimum)
      For what? Considering that what one understands to be a 'hash' in this context, this is a one-way function. You can't decrypt it. But even if you can, the program must include instructions how to decrypt it, including any decryption keys. If you can see the instructions, you might as well store the password in plain text.

      Your suggestion is like locking the door of your house, and either bang the key with a hammer to a flat piece of metal, or to tape the key on the door.

      Abigail

[reply]
      Well, if you are going to store a password in a shell script (not a good idea IMHO), then make sure the people that need to use this file only have execute permission (read permission is not necessary).
      Not setting read permission will only work if you are root, or if the shell is setuid root. And that's because a process with root level permissions can read any file, regardless of its permissions. If the shell is denied read access to the file, how on earth is the shell going to know what it should do? It's the same for a Perl program - if perl can't read the file, nothing will happen.

      Abigail

[reply]
        Hi,

        yup, you are correct, thinking of binaries.
        Sorry about that

[reply]
Re: Passwords in scripts
by astroboy (Chaplain) on Mar 24, 2004 at 11:58 UTC

    You don't say what your application is. If it's a web app, you might want to place a password file outside of your web root (as well as taking the other precautions mentioned above). If it's just for generic db apps, you may wish to have a look at Perl for Oracle DBAs. It has code/links for a centralised password server which supplies the passwords over an encrypted connection. Even if you're not using Oracle, you should be able to adapt it to your needs ... unless it's overkill for you task at hand, of course

[reply]
      The script which prompted this was something I plan to use when I login to my box at work. It should request a page from a website, parse out an IP address on the page, and export it to a bash enviornemntal variable. All this so I can find the IP address of my computer at home (I guess I really could just use dyndns.org or myip.org or some other similar place).
[reply]

Back to Seekers of Perl Wisdom