|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: clear-text passwords in shell/perl scripts
From: Liran Cohen (theog
artnet.co.il)
Date: Mon Mar 21 2005 - 06:43:46 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi Jeff,
I don't really know what database u'r using , but maybe using PKI?
TheOg
Jeff Robertson wrote:
>Say that a perl script needs access to a database, and access to this
>database requires a password. The script needs to run automatically with no
>human intervention, so it is not possible to prompt a user to enter the
>password at run time. This means that the password must either be in the
>script itself or in a file readable by the script.
>
>I have been asked what can be done to protect this password from falling
>into the wrong eyes. My recommendation is to tightly control read
>permissions to the script and/or the file that contains the password. Make
>the file owned by a special-purpose user who only exists to run this script,
>and chmod it to 600. That sort of thing.
>
>It has been suggested to encrypt the password. Since the script needs to get
>the clear text of the passwords in order to use them, this will need to be
>symmetric encryption and the script will need to have the key available,
>presumably stored in yet another file. As there would be no way to keep the
>key from being stolen other than to use the file permissions that were being
>relied on previously, you've just increased the complexity of the system
>without actually making it any more secure. This is bad. You'd be better off
>sticking with the simpler solution, since the security is the same either
>way.
>
>Can anyone either refute or provide further points in support of my stance
>on this?
>
>Jeff Robertson
>Manager of Web Application Security
>Digital Insight
>
>
>
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]