RE: clear-text passwords in shell/perl scripts

I would add it is important to know the risks of the system, and have plans 
to mitigate the risks; or just have the proper official sign off this as an 
allowed risk (C&A).

I know in NIST-SP800-026(Security Selft Assessment), Security Control 
#15.1.3 asks whether passwords are embedded in scripts. In other words, 
there better be a very good reason for it. :-)

Shirkdog
http://www.shirkdog.us



> From: "Ofer Shezaf" <Ofer.Shezaf@breach.com>
> To: "Jeff Robertson" <Jeff.Robertson@DigitalInsight.com>,"Webappsec 
> (E-mail)" <webappsec@securityfocus.com>
> Subject: RE: clear-text passwords in shell/perl scripts
> Date: Wed, 23 Mar 2005 14:58:11 -0500
>
>
>
> Well Jeff, I think that you must combine both methods.
>
> The limitation of file permissions is the numerous privilege escalation
> vulnerabilities out there.
>
> You are right about encrypting passwords with keys stored on the machine
> (or otherwise trying to hide the password), but it does help to deter
> casual hackers.
>
> I like Jeremiah Grossman's article "The 80/20 Rule for Web Application
> Security" (http://www.webappsec.org/articles/013105-plain.html). We must
> always remember the total security is an unachievable goal and that we
> should do our best. The chances that a hacker, looking for the weakest
> point, will skip us are greater the more we invest in security.
>
> ~ Ofer
>
>
> Ofer Shezaf
> CTO, Breach Security
>
> Tel: +972.9.956.0036 ext.212
> Cell: +972.54.443.1119
> ofers@breach.com
> http://www.breach.com
>
>
> > -----Original Message-----
> > From: Jeff Robertson [mailto:Jeff.Robertson@DigitalInsight.com]
> > Sent: Friday, March 18, 2005 8:19 PM
> > To: Webappsec (E-mail)
> > Subject: clear-text passwords in shell/perl scripts
> >
> > Say that a perl script needs access to a database, and access to this
> > database requires a password. The script needs to run automatically
> with
> > no
> > human intervention, so it is not possible to prompt a user to enter
> the
> > password at run time. This means that the password must either be in
> the
> > script itself or in a file readable by the script.
> >
> > I have been asked what can be done to protect this password from
> falling
> > into the wrong eyes. My recommendation is to tightly control read
> > permissions to the script and/or the file that contains the password.
> Make
> > the file owned by a special-purpose user who only exists to run this
> > script,
> > and chmod it to 600. That sort of thing.
> >
> > It has been suggested to encrypt the password. Since the script needs
> to
> > get
> > the clear text of the passwords in order to use them, this will need
> to be
> > symmetric encryption and the script will need to have the key
> available,
> > presumably stored in yet another file. As there would be no way to
> keep
> > the
> > key from being stolen other than to use the file permissions that were
> > being
> > relied on previously, you've just increased the complexity of the
> system
> > without actually making it any more secure. This is bad. You'd be
> better
> > off
> > sticking with the simpler solution, since the security is the same
> either
> > way.
> >
> > Can anyone either refute or provide further points in support of my
> stance
> > on this?
> >
> > Jeff Robertson
> > Manager of Web Application Security
> > Digital Insight

_________________________________________________________________
On the road to retirement? Check out MSN Life Events for advice on how to 
get there! http://lifeevents.msn.com/category.aspx?cid=Retirement