reading file containg passwords

Discussion in 'Perl Misc' started by John, Nov 13, 2010.

  1. John

    John Guest

    Hi

    I have a web perl script. In the script I need to access a SQL database. I
    have the password as a string in the script. Clearly anyone downloading the
    script can see it. I tried putting the password in a file (chmod 0400 -
    read by owner only). Unforunately, being on the web I need to set it to
    0444 - read by everyone - which defeats the aim. I appreciate it is more of
    a linux problem that Perl but what do other do when they have passwords they
    need to send to a SQL database etc. when running a Perl script on the web.

    Regards
    John
     
    John, Nov 13, 2010
    #1
    1. Advertising

  2. In article <ibmd3d$dj$>, "John" <>
    wrote:

    > Hi
    >
    > I have a web perl script. In the script I need to access a SQL database. I
    > have the password as a string in the script. Clearly anyone downloading the
    > script can see it. I tried putting the password in a file (chmod 0400 -
    > read by owner only). Unforunately, being on the web I need to set it to
    > 0444 - read by everyone - which defeats the aim. I appreciate it is more of
    > a linux problem that Perl but what do other do when they have passwords they
    > need to send to a SQL database etc. when running a Perl script on the web.
    >
    > Regards
    > John


    I think the usual way around this is to place the file outside the
    DOCROOT directory, protect it from being read by Apache's process (e.g.
    it's owned by the account that downloaded the file and only that UID can
    read it) and run the CGI script through cgiwrap:

    http://cgiwrap.sourceforge.net/

    --
    DeeDee, don't press that button! DeeDee! NO! Dee...
    [I filter all Goggle Groups posts, so any reply may be automatically ignored]
     
    Michael Vilain, Nov 13, 2010
    #2
    1. Advertising

  3. John

    ccc31807 Guest

    On Nov 13, 11:07 am, "John" <> wrote:
    > I have a web perl script.  In the script I need to access a SQL database.  I
    > have the password as a string in the script.  Clearly anyone downloading the
    > script can see it.


    Unfortunately, if you script a connection to a database, or anything
    else requiring credentials, you have to also script the credentials.
    The only alternative is to require entry of the credentials at the
    keyboard, which defeats the purpose of scripting.

    You need credentials to authenticate the user. There are only two ways
    to present the credentials: either type them in at the keyboard, or
    save them to some kind of persistent storage. The former is safer, the
    latter is more convenient. You can't have safety and convenience in
    this situation, you have to choose one or the other.

    My solution is to place the credentials in a separate configuration
    file, and have the script read the configuration file to initialize.
    It doesn't really matter where you put the configuration file -- any
    person who has access to the machine, and read privileges for the
    file, can read your configuration file. There simply isn't any way
    around this.

    CC.
     
    ccc31807, Nov 13, 2010
    #3
  4. On Sat, 13 Nov 2010 09:00:04 -0800, Michael Vilain wrote:

    > In article <ibmd3d$dj$>, "John" <>
    > wrote:
    >
    >> Hi
    >>
    >> I have a web perl script. In the script I need to access a SQL
    >> database. I have the password as a string in the script. Clearly
    >> anyone downloading the script can see it. I tried putting the password
    >> in a file (chmod 0400 - read by owner only). Unforunately, being on
    >> the web I need to set it to 0444 - read by everyone - which defeats the
    >> aim. I appreciate it is more of a linux problem that Perl but what do
    >> other do when they have passwords they need to send to a SQL database
    >> etc. when running a Perl script on the web.
    >>
    >> Regards
    >> John

    >
    > I think the usual way around this is to place the file outside the
    > DOCROOT directory, protect it from being read by Apache's process (e.g.
    > it's owned by the account that downloaded the file and only that UID can
    > read it) and run the CGI script through cgiwrap:


    Even without cgiwrap, get it outside the webroot. There are several ways,
    but either use-ing a module that does the db connection or reading a
    config file are the easiest and most obvious.

    HTH,
    M4
     
    Martijn Lievaart, Nov 13, 2010
    #4
  5. John wrote:
    > Hi
    >
    > I have a web perl script. In the script I need to access a SQL database. I
    > have the password as a string in the script. Clearly anyone downloading the
    > script can see it.


    So then don't let people download the script.

    > I tried putting the password in a file (chmod 0400 -
    > read by owner only).


    Who is the owner?

    > Unforunately, being on the web I need to set it to
    > 0444 - read by everyone - which defeats the aim. I appreciate it is more of
    > a linux problem that Perl but what do other do when they have passwords they
    > need to send to a SQL database etc. when running a Perl script on the web.


    Don't serve your meant-for-execution scripts as content over the web.

    Don't run on a shared web server with other users you don't trust.
    Barring that, have the shared server in the hands of a good
    administrator who configures apache to use setuid or kin to isolate users.

    Xho
     
    Xho Jingleheimerschmidt, Nov 14, 2010
    #5
  6. John

    Ted Zlatanov Guest

    On Sat, 13 Nov 2010 10:21:24 -0800 (PST) ccc31807 <> wrote:

    c> Unfortunately, if you script a connection to a database, or anything
    c> else requiring credentials, you have to also script the credentials.
    c> The only alternative is to require entry of the credentials at the
    c> keyboard, which defeats the purpose of scripting.

    You can put the credentials in shared memory. Then if the script can't
    read them it fails; otherwise it will complain (send e-mail, whatever)
    until someone loads the credentials back. Since shared memory has
    permissions, this is as secure as putting them in a file but without the
    risk of making them world-readable as easily. I've seen similar schemes
    with SSL certificates but it's all betting that the attacker won't have
    exec access to the system.

    Another approach is to allow login without a password from a specific
    user on localhost. It won't work remotely so it's pretty safe and
    there's no password to compromise.

    Ted
     
    Ted Zlatanov, Nov 15, 2010
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. John
    Replies:
    6
    Views:
    667
  2. Henke
    Replies:
    5
    Views:
    681
    Henke
    Oct 19, 2004
  3. Ahmed Moustafa
    Replies:
    5
    Views:
    445
    Brian Palmer
    Aug 20, 2003
  4. Replies:
    8
    Views:
    419
  5. Replies:
    0
    Views:
    395
Loading...

Share This Page