Re: Hide DBI password in scripts

The C program will only return the password to registered calling programs or scripts - and checks the registered inode value to ensure it was not altered.

Uh, I did not see that. Creative, but breakable. There are editors that can edit files without altering the inode number, vi is the most common one.

For perl scripts, that does not help much, see my previous posting. You would also have to check all modules that the script may load, including the ones loaded at runtime, and the *.so for XS modules. And you would have to check that no "evil" modules are loaded. The perl debugger could be used to bypass the normal flow of operation, and of course to read the secret, so you need to check for that, too. To make things interesting, the security checks should allow updating perl modules via CPAN or distrubution packages.

/proc/$PID/comm can be modifed at runtime. I can run any program that I want and change that value so that it passes the check. And it is specific for Linux, not available elsewhere, and not on all Linux versions.

/proc/$PID/cmdline is read-only, so you could check for some tricks played on the command line. But you also have to check for several environment variables, see perlrun. You also have to check for sitecustomize.pl. And that's just perl. Other scripting languages have similar tricks.

LD_PRELOAD can do very evil stuff to any dynamically linked program, see ld.so. If I can inject a shared object that calls the secret-emitting program even before main() runs, your secret is no longer secret. So you definitively have to check the environment.

What happens for strace -o /tmp/trace /home/shared/bin/shared-program? I would expect to find the secret in /tmp/trace.

Just for fun, read suEXEC Security Model. All of these paranoid checks are there just to safely run CGIs as a different user, this program is not trying to keep anything secret.

Alexander

--
Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)

Comment on Re: Hide DBI password in scripts Select or Download Code

Replies are listed 'Best First'.
Re^2: Hide DBI password in scripts by danielgr (Novice) on Jan 13, 2018 at 01:33 UTC
We can probably solve the perl debugger problem with something like: $db=DBI->connect("DBI:Oracle:sid=$DBSID;host=$DBHOST;port=$DBPORT;","$ +DBUSER",`/path/shared_C_program`) \|\| ($err=$db->errstr); [download] Thank you for the wealth of information.	[reply] [d/l]
Re^3: Hide DBI password in scripts by afoken (Chancellor) on Jan 13, 2018 at 13:08 UTC
We can probably solve the perl debugger problem with something like: $db=DBI->connect("DBI:Oracle:sid=$DBSID;host=$DBHOST;port=$DBPORT;","$ +DBUSER",`/path/shared_C_program`) \|\| ($err=$db->errstr); [download] I don't need a debugger for that. strace is sufficient: /tmp>cat password-keeper.c #include <stdio.h> int main(int argc, char ** argv) { // note: security checks omitted // note: deobfuscation omitted fputs("postgres",stdout); return 0; } /tmp>make password-keeper cc password-keeper.c -o password-keeper /tmp>strip password-keeper /tmp>cat victim.pl #!/usr/bin/perl use strict; use warnings; use DBI; my $dbh=DBI->connect('dbi:Pg:dbname=postgres','postgres',`./password-k +eeper`,{ RaiseError => 1 }); my $sth=$dbh->prepare('select 42 as answer'); $sth->execute(); $sth->dump_results(); /tmp>strace -f -o trace.txt -e trace=write,process perl victim.pl 42 1 rows /tmp>cat trace.txt 26962 execve("/usr/local/bin/perl", ["perl", "victim.pl"], [/* 40 vars + /]) = 0 26962 arch_prctl(ARCH_SET_FS, 0x7f04ca5ce700) = 0 26962 clone(child_stack=0, flags=CLONE_CHILD_CLEARTID\|CLONE_CHILD_SETT +ID\|SIGCHLD, child_tidptr=0x7f04ca5ce9d0) = 26963 26963 execve("./password-keeper", ["./password-keeper"], [/ 40 vars * +/]) = 0 26963 arch_prctl(ARCH_SET_FS, 0x7f7d4ad21700) = 0 26963 write(1, "postgres", 8) = 8 26963 exit_group(0) = ? 26963 +++ exited with 0 +++ 26962 --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=26963, + si_uid=1001, si_status=0, si_utime=0, si_stime=0} --- 26962 wait4(26963, [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0, NULL) = + 26963 26962 write(1, "42\n1 rows\n", 10) = 10 26962 exit_group(0) = ? 26962 +++ exited with 0 +++ /tmp> [download] Alexander -- Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)	[reply] [d/l] [select]


more useful options
	PerlMonks