Mabe you can put the database in charge. You'd rewrite your script as a
trigger on a dummy table and have the trigger do all the critical stuff.
Oracle has a complete JVM inside the database, and Microsoft a CLR. So
your cron script would log into the database using a locked down account
that can only, access one table. This table would have a trigger connected
to it that would then start the real, critical work. Depending on the
options that the database trigger programming language offers you, you
could either put the whole script inside the trigger, or have the trigger
create the data that the real script needs to perform its duty, and then
call the real script from within the database. This way, the user/password
pair that a hacker could find, would only allow the hacker to access a
worthless table and trigger the trigger, but nothing else.
Carsten
Liran Cohen <theog@artnet.co.il>
21.03.2005 13:43
An: Jeff Robertson <Jeff.Robertson@DigitalInsight.com>
Kopie: "Webappsec (E-mail)" <webappsec@securityfocus.com>
Thema: Re: clear-text passwords in shell/perl scripts
Hi Jeff,
I don't really know what database u'r using , but maybe using PKI?
TheOg
Jeff Robertson wrote:
Say that a perl script needs access to a database, and access to this
database requires a password. The script needs to run automatically with
no
human intervention, so it is not possible to prompt a user to enter the
password at run time. This means that the password must either be in the
script itself or in a file readable by the script.
I have been asked what can be done to protect this password from falling
into the wrong eyes. My recommendation is to tightly control read
permissions to the script and/or the file that contains the password.
Make
the file owned by a special-purpose user who only exists to run this
script,
and chmod it to 600. That sort of thing.
It has been suggested to encrypt the password. Since the script needs to
get
the clear text of the passwords in order to use them, this will need to
be
symmetric encryption and the script will need to have the key available,
presumably stored in yet another file. As there would be no way to keep
the
key from being stolen other than to use the file permissions that were
being
relied on previously, you've just increased the complexity of the system
without actually making it any more secure. This is bad. You'd be better
off
sticking with the simpler solution, since the security is the same either
way.
Can anyone either refute or provide further points in support of my
stance
on this?
Jeff Robertson
Manager of Web Application Security
Digital Insight
