|
Re: Hiding passwords in scripts
by simon.proctor (Vicar) on Sep 29, 2004 at 12:21 UTC
|
Why not just create limited privilege users in your database? Not only does it devalue the importance of knowing the password but if you accidentally introduce any SQL injection insecurities the scope of damage is limited.
For example, if all you are doing is select and update then only give select and update privileges.
| [reply] |
Re: Hiding passwords in scripts
by Fletch (Bishop) on Sep 29, 2004 at 12:55 UTC
|
| [reply] |
Re: Hiding passwords in scripts
by Roger (Parson) on Sep 29, 2004 at 12:09 UTC
|
You could use something like Crypt::OpenPGP to encrypt/decrypt your database configuration strings. Just be sure that nobody can see your private keys, assumed to be read-only to yourself, and hidden somewhere, say, ~/.ssh directory. Check the module documentations for details on how to encrypt/decrypt messages.
| [reply] |
Re: Hiding passwords in scripts
by gri6507 (Deacon) on Sep 29, 2004 at 11:23 UTC
|
You can use something like Filter::CBC to encrypt your entire source code, so that the password (and the rest of the program) are illegible to the human. | [reply] |
|
|
Hi There,
thanks for the quick replies, I should have pointed out that other people will probably be working on these scripts also, so encrypting the entire source code is probably not going to be an option for me. Its just the actual password that needs to be hidden.
Plato
| [reply] |
|
|
This sounds to me like the scriptkiddies who use some "don't use your right mouse button" script to 'hide' other javascripts that the stole from numerous sites ;)
If you are developing something with more people, I take it that these people need that password too. If not, there's no need for a password in there. If they have their own password, use something like $HOME/.configuration, or just accept it as a parameter.
--
b10m
All code is usually tested, but rarely trusted.
| [reply] |
|
|
Re: Hiding passwords in scripts
by pelagic (Priest) on Sep 29, 2004 at 10:56 UTC
|
as always: TIMTOWTDI
Use a hidden file such as .password containing the secret quote and read it from your script before you use it.
| [reply]
[d/l] |
|
|
I am having a similar problem, but my problem is that my software has these lines repeated multiple times, so can you please elaborate on this topic?
I'm looking to create a configuration file with the appropriate information, and get it into my source. What directive would I need to include: use? require?
| [reply] |
|
|
You could use a very simple config file (call it eg .secret.config to make it hidden) such as:
first secret
second public
and parse it with ConfigReader::Simple like:
use strict;
use ConfigReader::Simple;
my $config = ConfigReader::Simple->new(".secret.config");
print $config->get( "first" ), "\n";
print $config->get( "second" ), "\n";
Update
Of course hidden is not read protected. It's just that you don't see your settings in the code. To get more security you might want to protect the config file with a mode that only the executor can read the content ... but then how can the developers test the thing?
| [reply]
[d/l]
[select] |
|
|
No, use, require and eval should not be used. do is the one. Search for threads on including other perl files for discussions on this topic.
| [reply]
[d/l]
[select] |
|
|
Take the config file approach a step further by setting the file permissions to limit access. If you need other people to have access to the script (and config file) then you will have to set rights for a group.
| [reply] |
|
|
| [reply] |
Re: Hiding passwords in scripts
by Plankton (Vicar) on Sep 29, 2004 at 15:51 UTC
|
Try and avoid storing your password in a file. It is better to just prompt the user ...
use Term::ReadKey;
use DBI;
.
.
.
print "Enter password for $user:\n";
ReadMode 2;
chomp($passwd = ReadLine(0));
ReadMode 0; # Reset tty mode
my $dbh = DBI->connect("DBI:mysql:database=$db;host=$server", $user, $
+passwd);
What reason do you have for putting a password in your scripts?
| Plankton: 1% Evil, 99% Hot Gas. |
| [reply]
[d/l] |
|
|
That's not a good solution for batch apps, mod_perl pages, daemons, and all sorts of other stuff. It's best to just configure the database to use something else, and to have it all work automagically. Most newer databases are cool enough to use other security mechanisms, making password just a step up from "security = totally off".
| [reply] |
|
|
Sure it is, just fork your script off into the background after someone has enter the password.
| [reply] |
Re: Hiding passwords in scripts
by water (Deacon) on Sep 30, 2004 at 01:54 UTC
|
&use_password_somehow( &get_secret_password_from_somewhere);
becomes
my $no_longer_so_secret_password =
&get_secret_password_from_somewhere;
print STDOUT $no_longer_so_secret_password . "\n";
&use_password_somehow( $no_longer_so_secret_password );
In other words, if the app can get the password, so can the developers.
So again 'security thru obscurity' doesn't offer anything.
Musing: and if you don't trust the developers -- who (in some shops) have access to root, to DB root, to CVS sources, to code, to docs, to core data, and (in some shops) have physical access to key servers / routers / etc, and thus could wreak all kinds of malicious stuff, should they be so inclined -- well, then, things certainly don't look so good. Figure out who needs access to what, give the right people access to what they need, and lock down securely (not just obscure) the other stuff for the other folks. And at some level, certain key individuals have to be trusted, bottom line. | [reply]
[d/l]
[select] |
Re: Hiding passwords in scripts
by mkirank (Chaplain) on Sep 30, 2004 at 13:05 UTC
|
u can use Tie::EncryptedHash which will hold the db Information as a encrypted hash which the programmers can not read (although they can do it programmatically) ..
| [reply] |
