reading file containg passwords

J

John

Hi

I have a web perl script. In the script I need to access a SQL database. I
have the password as a string in the script. Clearly anyone downloading the
script can see it. I tried putting the password in a file (chmod 0400 -
read by owner only). Unforunately, being on the web I need to set it to
0444 - read by everyone - which defeats the aim. I appreciate it is more of
a linux problem that Perl but what do other do when they have passwords they
need to send to a SQL database etc. when running a Perl script on the web.

Regards
John
 
M

Michael Vilain

"John" <[email protected]> said:
Hi

I have a web perl script. In the script I need to access a SQL database. I
have the password as a string in the script. Clearly anyone downloading the
script can see it. I tried putting the password in a file (chmod 0400 -
read by owner only). Unforunately, being on the web I need to set it to
0444 - read by everyone - which defeats the aim. I appreciate it is more of
a linux problem that Perl but what do other do when they have passwords they
need to send to a SQL database etc. when running a Perl script on the web.

Regards
John

I think the usual way around this is to place the file outside the
DOCROOT directory, protect it from being read by Apache's process (e.g.
it's owned by the account that downloaded the file and only that UID can
read it) and run the CGI script through cgiwrap:

http://cgiwrap.sourceforge.net/
 
C

ccc31807

I have a web perl script.  In the script I need to access a SQL database.  I
have the password as a string in the script.  Clearly anyone downloading the
script can see it.

Unfortunately, if you script a connection to a database, or anything
else requiring credentials, you have to also script the credentials.
The only alternative is to require entry of the credentials at the
keyboard, which defeats the purpose of scripting.

You need credentials to authenticate the user. There are only two ways
to present the credentials: either type them in at the keyboard, or
save them to some kind of persistent storage. The former is safer, the
latter is more convenient. You can't have safety and convenience in
this situation, you have to choose one or the other.

My solution is to place the credentials in a separate configuration
file, and have the script read the configuration file to initialize.
It doesn't really matter where you put the configuration file -- any
person who has access to the machine, and read privileges for the
file, can read your configuration file. There simply isn't any way
around this.

CC.
 
M

Martijn Lievaart

I think the usual way around this is to place the file outside the
DOCROOT directory, protect it from being read by Apache's process (e.g.
it's owned by the account that downloaded the file and only that UID can
read it) and run the CGI script through cgiwrap:

Even without cgiwrap, get it outside the webroot. There are several ways,
but either use-ing a module that does the db connection or reading a
config file are the easiest and most obvious.

HTH,
M4
 
X

Xho Jingleheimerschmidt

John said:
Hi

I have a web perl script. In the script I need to access a SQL database. I
have the password as a string in the script. Clearly anyone downloading the
script can see it.

So then don't let people download the script.
I tried putting the password in a file (chmod 0400 -
read by owner only).

Who is the owner?
Unforunately, being on the web I need to set it to
0444 - read by everyone - which defeats the aim. I appreciate it is more of
a linux problem that Perl but what do other do when they have passwords they
need to send to a SQL database etc. when running a Perl script on the web.

Don't serve your meant-for-execution scripts as content over the web.

Don't run on a shared web server with other users you don't trust.
Barring that, have the shared server in the hands of a good
administrator who configures apache to use setuid or kin to isolate users.

Xho
 
T

Ted Zlatanov

c> Unfortunately, if you script a connection to a database, or anything
c> else requiring credentials, you have to also script the credentials.
c> The only alternative is to require entry of the credentials at the
c> keyboard, which defeats the purpose of scripting.

You can put the credentials in shared memory. Then if the script can't
read them it fails; otherwise it will complain (send e-mail, whatever)
until someone loads the credentials back. Since shared memory has
permissions, this is as secure as putting them in a file but without the
risk of making them world-readable as easily. I've seen similar schemes
with SSL certificates but it's all betting that the attacker won't have
exec access to the system.

Another approach is to allow login without a password from a specific
user on localhost. It won't work remotely so it's pretty safe and
there's no password to compromise.

Ted
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,744
Messages
2,569,483
Members
44,903
Latest member
orderPeak8CBDGummies

Latest Threads

Top