Beefy Boxes and Bandwidth Generously Provided by pair Networks
Your skill will accomplish
what the force of many cannot
 
PerlMonks  

Re: Hide DBI password in scripts

by afoken (Abbot)
on Jan 13, 2018 at 00:20 UTC ( #1207175=note: print w/replies, xml ) Need Help??


in reply to Hide DBI password in scripts

The C program will only return the password to registered calling programs or scripts - and checks the registered inode value to ensure it was not altered.

Uh, I did not see that. Creative, but breakable. There are editors that can edit files without altering the inode number, vi is the most common one.

For perl scripts, that does not help much, see my previous posting. You would also have to check all modules that the script may load, including the ones loaded at runtime, and the *.so for XS modules. And you would have to check that no "evil" modules are loaded. The perl debugger could be used to bypass the normal flow of operation, and of course to read the secret, so you need to check for that, too. To make things interesting, the security checks should allow updating perl modules via CPAN or distrubution packages.

/proc/$PID/comm can be modifed at runtime. I can run any program that I want and change that value so that it passes the check. And it is specific for Linux, not available elsewhere, and not on all Linux versions.

/proc/$PID/cmdline is read-only, so you could check for some tricks played on the command line. But you also have to check for several environment variables, see perlrun. You also have to check for sitecustomize.pl. And that's just perl. Other scripting languages have similar tricks.

LD_PRELOAD can do very evil stuff to any dynamically linked program, see ld.so. If I can inject a shared object that calls the secret-emitting program even before main() runs, your secret is no longer secret. So you definitively have to check the environment.

What happens for strace -o /tmp/trace /home/shared/bin/shared-program? I would expect to find the secret in /tmp/trace.


Just for fun, read suEXEC Security Model. All of these paranoid checks are there just to safely run CGIs as a different user, this program is not trying to keep anything secret.

Alexander

--
Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)

Replies are listed 'Best First'.
Re^2: Hide DBI password in scripts
by danielgr (Initiate) on Jan 13, 2018 at 01:33 UTC

    We can probably solve the perl debugger problem with something like:

    $db=DBI->connect("DBI:Oracle:sid=$DBSID;host=$DBHOST;port=$DBPORT;","$ +DBUSER",`/path/shared_C_program`) || ($err=$db->errstr);


    Thank you for the wealth of information.

      We can probably solve the perl debugger problem with something like:

      $db=DBI->connect("DBI:Oracle:sid=$DBSID;host=$DBHOST;port=$DBPORT;","$ +DBUSER",`/path/shared_C_program`) || ($err=$db->errstr);

      I don't need a debugger for that. strace is sufficient:

      /tmp>cat password-keeper.c #include <stdio.h> int main(int argc, char ** argv) { // note: security checks omitted // note: deobfuscation omitted fputs("postgres",stdout); return 0; } /tmp>make password-keeper cc password-keeper.c -o password-keeper /tmp>strip password-keeper /tmp>cat victim.pl #!/usr/bin/perl use strict; use warnings; use DBI; my $dbh=DBI->connect('dbi:Pg:dbname=postgres','postgres',`./password-k +eeper`,{ RaiseError => 1 }); my $sth=$dbh->prepare('select 42 as answer'); $sth->execute(); $sth->dump_results(); /tmp>strace -f -o trace.txt -e trace=write,process perl victim.pl 42 1 rows /tmp>cat trace.txt 26962 execve("/usr/local/bin/perl", ["perl", "victim.pl"], [/* 40 vars + */]) = 0 26962 arch_prctl(ARCH_SET_FS, 0x7f04ca5ce700) = 0 26962 clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETT +ID|SIGCHLD, child_tidptr=0x7f04ca5ce9d0) = 26963 26963 execve("./password-keeper", ["./password-keeper"], [/* 40 vars * +/]) = 0 26963 arch_prctl(ARCH_SET_FS, 0x7f7d4ad21700) = 0 26963 write(1, "postgres", 8) = 8 26963 exit_group(0) = ? 26963 +++ exited with 0 +++ 26962 --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=26963, + si_uid=1001, si_status=0, si_utime=0, si_stime=0} --- 26962 wait4(26963, [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0, NULL) = + 26963 26962 write(1, "42\n1 rows\n", 10) = 10 26962 exit_group(0) = ? 26962 +++ exited with 0 +++ /tmp>

      Alexander

      --
      Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://1207175]
help
Chatterbox?
and all is quiet...

How do I use this? | Other CB clients
Other Users?
Others examining the Monastery: (5)
As of 2018-01-21 02:05 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?
    How did you see in the new year?










    Results (227 votes). Check out past polls.

    Notices?