Beefy Boxes and Bandwidth Generously Provided by pair Networks
more useful options
 
PerlMonks  

Private temporal files on Windows

by salva (Abbot)
on Dec 18, 2014 at 13:11 UTC ( #1110748=perlquestion: print w/replies, xml ) Need Help??
salva has asked for the wisdom of the Perl Monks concerning the following question:

I am improving the support for Windows in Net::SSH::Any and adding backends for additional SSH clients, including one for the Tectia command line client sshg3 which has the nice feature of being fast (because it reuses connections transparently).

Currently I am passing passwords to sshg3 on the command line, but that is quite insecure as anybody with access to the machine can see them. Fortunately, the program also accepts reading them from a file, but now the problem is that I don't really know how to create a temporary file which only the current user is allowed to access on Windows...

Well, ok, I could invent something, but I don't like inventing things when security is involved and specially on a platform that I don't know well.

So, can anybody illuminate me?

And while we are at it, beta-testers for Net::SSH::Any are welcome. The development version is available from GitHub.

Replies are listed 'Best First'.
Re: Private temporal files on Windows
by Corion (Pope) on Dec 18, 2014 at 13:50 UTC

    I fear you will have to use CreateFile together with the appropriate SECURITY_ATTRIBUTES. Maybe you can get around this by "only" having a small race condition by using a named pipe (CreateFile('\\\\.\\pipe\\net-ssh-any-pipe', ... ). The named pipe should roughly appear to a client as a line based file, and will not be stored on disk.

    Still, the proper way would be to set up the appropriate SECURITY_ATTRIBUTES in a way that only child processes of the current process are allowed to access that pipe (or a tempfile).

    Unfortunately, I don't find a handy example of how to configure an appropriate security descriptor on the MSDN. I guess that creating a DACL (if possible) that only lists the child process as allowed to read would be a good approach.

Re: Private temporal files on Windows
by BrowserUk (Pope) on Dec 18, 2014 at 20:46 UTC

    I'd suggest avoiding the file system completely and using a Named Pipe.

    Your perl code creates a named pipe before starting the child process, then supplies the full name of the named pipe to the (asynchronously started) child process as the password file name; it then waits for the child to open the "file" and supplies the password.

    Using Win32::Pipe this can be done so:

    #! perl -slw use strict; use Win32::Pipe; my $pipe = Win32::Pipe->new( 'MyPipe' ); print system 1, 'c:\test\dummyCapp.exe \\\\.\\pipe\\MyPipe' or die $?; $pipe->Connect; $pipe->Write( 'The quick brown fox' ); $pipe->Disconnect; $pipe->Close;

    I knocked up this as a substitute for the sshg3 app:

    #include <stdio.h> int main( int argc, char **argv ) { FILE *f; if( argc < 2 ) { fprintf( stderr, "No filename given\n" ); exit( -1 ); } if( f = fopen( argv[1], "r" ) ) { int read = 0; char pword[ 1024 ]; if( read = fread( pword, sizeof( char ), 1024, f ) ) { printf( "Got: '%s'\n", pword ); } else { fprintf( stderr, "Failed to read anything\n" ); exit( -2 ); } } else { fprintf( stderr, "Couldn't open file %s: %d\n", argv[1], GetLa +stError() ); exit( -3 ); } printf( "Ending...\n" ); return 0; }

    And running the perl script gives:

    C:\test>junk50 560 Got: 'The quick brown fox' Ending...

    With the rise and rise of 'Social' network sites: 'Computers are making people easier to use everyday'
    Examine what is said, not who speaks -- Silence betokens consent -- Love the truth but pardon error.
    "Science is about questioning the status quo. Questioning authority".
    In the absence of evidence, opinion is indistinguishable from prejudice.
      That was the first thing I tried, but the slave program doesn't like opening pipes.

      Sysinternals Process Monitor utility shows that it doesn't try to open anything. It probably runs some internal checks, on the pipe filename or in the parent (pseudo-)directory and they fail.

        Then I suggest trying the extprog method: --password=extprog://PROGRAM; and have that program (a perl script) connect to the named pipe to fetch the password and emit it to its stdout.

        I'd avoid trying to get into the world of windows permissions; its a nightmare to end all nightmares.


        With the rise and rise of 'Social' network sites: 'Computers are making people easier to use everyday'
        Examine what is said, not who speaks -- Silence betokens consent -- Love the truth but pardon error.
        "Science is about questioning the status quo. Questioning authority".
        In the absence of evidence, opinion is indistinguishable from prejudice.
Re: Private temporal files on Windows
by nikosv (Chaplain) on Dec 18, 2014 at 18:22 UTC
Re: Private temporal files on Windows
by bulk88 (Priest) on Dec 28, 2014 at 09:44 UTC

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://1110748]
Approved by Corion
help
Chatterbox?
and a log crumbles through the grate...

How do I use this? | Other CB clients
Other Users?
Others pondering the Monastery: (6)
As of 2018-01-17 11:20 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?
    How did you see in the new year?










    Results (198 votes). Check out past polls.

    Notices?