Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place! |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
|
05-22-2017, 03:22 PM
|
#1
|
Member
Registered: Dec 2011
Location: Chandler, AZ
Posts: 286
Rep:
|
Hiding passwords in scripts?
I am working on a bash script which logs into a database via a command-line program.
I need to provide the administrator password to the database command line tool, and am not sure how to properly hide the value.
The command line program allows you to set the password in a shell variable to avoid putting it on the command line, or as part of a HERE document.
However, how do I get it into the shell variable without it being exposed in a filesystem?
|
|
|
05-22-2017, 04:16 PM
|
#3
|
Member
Registered: Dec 2011
Location: Chandler, AZ
Posts: 286
Original Poster
Rep:
|
Quote:
Originally Posted by ondoho
|
Yes, but these answers don't fit the bill.
All of them still require the password to be in a file in the filesystem.
|
|
|
05-22-2017, 04:32 PM
|
#4
|
Senior Member
Registered: Jul 2012
Location: Aachen, Germany
Distribution: Void, Debian
Posts: 1,019
|
Is the script being called interactively (i.e. by a user) or in an automated way (e.g. by a cronjob).
In the first case you could set the variable containing the password even before calling the script. Or you could prompt for it using the read command.
In the second case it would be more difficult and possible answers would depend on your requirements, so maybe you could desribe those a bit more. (I am assuming your question has a security-related motivation, so please describe the attack scenario vs. legitimate use of the script).
Maybe it would solve your problem if the script was called from a cronjob running on another (more trusted) machine via ssh which could provide the password? (In that case make sure it is not showing up in ssh server logs of the target machine!)
|
|
|
05-22-2017, 05:01 PM
|
#5
|
Member
Registered: Dec 2011
Location: Chandler, AZ
Posts: 286
Original Poster
Rep:
|
Quote:
Originally Posted by joe_2000
Is the script being called interactively (i.e. by a user) or in an automated way (e.g. by a cronjob).
In the first case you could set the variable containing the password even before calling the script. Or you could prompt for it using the read command.
In the second case it would be more difficult and possible answers would depend on your requirements, so maybe you could desribe those a bit more. (I am assuming your question has a security-related motivation, so please describe the attack scenario vs. legitimate use of the script).
Maybe it would solve your problem if the script was called from a cronjob running on another (more trusted) machine via ssh which could provide the password? (In that case make sure it is not showing up in ssh server logs of the target machine!)
|
The script would be called via automation (most likely cron).
The requirements are based on auditing policy which does not allow us to store any passwords in the filesystem.
We do not (currently) have any more trusted machine, as if I could reach it from the first host it's just as open to being hacked.
Getting an 'exception' to the policy is always an option, but im being asked to make sure there are no other alternatives before proceeding with an exception request.
|
|
|
05-22-2017, 05:55 PM
|
#6
|
LQ Veteran
Registered: Feb 2013
Location: Tucson, AZ, USA
Distribution: Rocky 9.5
Posts: 5,824
|
Quote:
Originally Posted by usao
All of them still require the password to be in a file in the filesystem.
|
You should (might?) be able to set permissions on such a file so that only the user running the cron and root could see it.
|
|
|
05-22-2017, 06:26 PM
|
#7
|
LQ Guru
Registered: Nov 2010
Location: Colorado
Distribution: OpenSUSE, CentOS
Posts: 5,573
|
Quote:
Originally Posted by usao
The requirements are based on auditing policy which does not allow us to store any passwords in the filesystem.
|
Well I'm not sure what your options are then. If you can't type it in interactively and you can't store it on the filesystem, where do you plan for the script to access the password? Whether it's plain-text in the script, or in the cron tab, or on another machine, or encrypted in a file with the password for that file located in plain-text in one of the above-mentioned locations...you're still storing the password in the filesystem, which is against policy. I think the only way around this is to get an exception to the policy. In doing so there are a few options, such as restricting permissions, putting it on a tmpfs/ramfs filesystem that gets wiped when the machine is power-cycled, etc.
|
|
|
05-22-2017, 06:37 PM
|
#8
|
Member
Registered: Dec 2011
Location: Chandler, AZ
Posts: 286
Original Poster
Rep:
|
That's the rub. Ive heard of some type of key server type of thing, but don't know anything about them.
Supposedly you can checkout the password dynamically, in memory, but I don't know what they are called or anything else.
|
|
|
05-22-2017, 07:28 PM
|
#9
|
LQ Guru
Registered: Nov 2008
Location: Pictland
Distribution: Linux Mint 21 MATE
Posts: 8,048
|
How about you write a program to run on your computer and do the actual database read/writes, not in shell script but in some language where you can employ binary code obfuscation and which can access the database securely using the password calculated from its own internals. The program will also check to see if any of its own code has been modified at any point. The program would have *very specific and restricted* login permissions to the database and transactions it could undertake. Naturally the source code would be nowhere near the machine in question.
A hacker with root access to your computer and reasonable skills will be able to do anything they want, effectively, but if you make it more difficult to achieve their task then they *might* think about finding a softer target.
|
|
|
05-22-2017, 07:47 PM
|
#10
|
Senior Member
Registered: Feb 2003
Distribution: debian
Posts: 4,137
|
What is the logging in for? Is it something that can be done by other means? With a middle man that runs on the database server that generates results to a file, or inputs changes from a file. With more acceptable scp or sftp methods via key pairs?
From a certain point of view, ALL passwords are on the disk / filesystem. Baring the rare exception of hardware that handles that function. Even if it's in the program it's on a filesystem. You can hide it logically by joining multiple chunks from non-adjacent locations, or convert it from hex or binary strings. But it's still ON the filesystem from an overly technical point of view.
|
|
|
05-23-2017, 09:05 AM
|
#11
|
Member
Registered: Dec 2011
Location: Chandler, AZ
Posts: 286
Original Poster
Rep:
|
The app server is the middle man in this case. The application needs to login to the database to get access to data.
While it's possible to store the password encrypted, the decryption process itself requires a password, so that's a catch-22.
|
|
|
05-23-2017, 09:23 AM
|
#12
|
Senior Member
Registered: Jul 2012
Location: Aachen, Germany
Distribution: Void, Debian
Posts: 1,019
|
I vote for the exception to the policy. Implemented in a responsible way. The thing is: The application is on the machine. Whatever you implement: there will always be a risk that someone who "hacked into the machine" will be able to intercept/reverse engineer/reproduce or otherwise compromise the authentication process.
The time you spent on this question would be better spent thinking about how to implement general hardening for the machine to prevent it from being compromised in the first place.
Oh, just to make sure it has been said: for your app server you'll want to use login credentials of a database user that only has read access if that's all your application needs.
|
|
1 members found this post helpful.
|
05-23-2017, 11:26 AM
|
#13
|
LQ Veteran
Registered: Jan 2011
Location: Abingdon, VA
Distribution: Catalina
Posts: 9,374
Rep:
|
Unavoidable?
I do use export scripts in a root-owned crons.
stored in /root/ and 700
But...<wait for it>
as suggested, it is a database "user" with the least amount of privs necessary.
It is the exception and not the rule.
Just sayin'
Last edited by Habitual; 05-23-2017 at 11:27 AM.
|
|
|
05-23-2017, 11:49 AM
|
#14
|
Member
Registered: Dec 2011
Location: Chandler, AZ
Posts: 286
Original Poster
Rep:
|
The "user" is the database account itself. The scripts are all of administrative nature, auditing, code release, monitoring and ETL.
Ill probably have to go with the exception, but was trying to cover my bases and see if there was some other tool/utility or methodology which could work that I wasn't aware of.
|
|
|
05-23-2017, 02:05 PM
|
#15
|
LQ Guru
Registered: Sep 2013
Location: Somewhere in my head.
Distribution: Slackware (15 current), Slack15, Ubuntu studio, MX Linux, FreeBSD 13.1, WIn10
Posts: 10,342
|
The ole' CRON job needs password to run scenario -
color me stupid but it seems to me if a cron job needed a password to run then it needs to be ran on the Administrate (root) side where no password is needed. Then only one that is root or has that password can fiddle with it. fingers then would be known where to point if something happens that is directly related to that script (job) running.
Last edited by BW-userx; 05-23-2017 at 02:06 PM.
|
|
|
All times are GMT -5. The time now is 01:48 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|