Beefy Boxes and Bandwidth Generously Provided by pair Networks
There's more than one way to do things
 
PerlMonks  

Perl Setuid - Oracle Password Hardcoding

by hmadhi (Acolyte)
on Nov 16, 2011 at 05:50 UTC ( #938318=perlquestion: print w/ replies, xml ) Need Help??
hmadhi has asked for the wisdom of the Perl Monks concerning the following question:

We have the following situation.

To avoid hardcoding of Oracle Passwords in our perl scripts, our DBAs have made a password file available on our application server as user "secure" (/home/secure/orapwd/password.txt). No one has access to this file apart from user "secure". On the other hand the perl scripts run as user "ora". What we require is for user "ora" to access the password file and retrieve the appropriate oracle password, and pass the password to the database handler to connect to the database.

Any ideas and how we can solve this problem. setuid scripts is an option, but as usual we need to be cautious

Comment on Perl Setuid - Oracle Password Hardcoding
Re: Perl Setuid - Oracle Password Hardcoding
by keszler (Priest) on Nov 16, 2011 at 06:55 UTC

    One possibility would be to connect from the perl scripts to the application server (even if it's localhost) via Net::SSH as user "secure", using pre-generated key files (see Net::SSH#GENERATING_AND_USING_SSH_KEYS) to avoid having the "secure" user password hardcoded. Issue a command over the SSH connection to read the password file and you're all set.

Re: Perl Setuid - Oracle Password Hardcoding
by JavaFan (Canon) on Nov 16, 2011 at 07:25 UTC
    sudo was developed more than 3 decades ago to solve problems like that.

    Learn it. Use it.

    And for more information about your non-Perl question, try a Unix forum.

      It sounds like the dbas don't want the developer to know the password to Oracle. If they run the script with sudo or setuid or whatever, what would prevent them from just having the code print out the password that was read from the file?
        Considering that the OP is talking about an application server, it looks to me this is a standard production security policy, not something to pester developers with. It's not a measure to defend against internal attacks*, but to prevent escalation after an intrusion. Of course, the script should be non-modifiable.

        *Although with some effort, it can help to protect against insiders wearing a black hat.

        True. However we will not have access to the scripts on the production servers. They are rollout using SVN.

      Two hints:

      1. Given sufficient permissions in /etc/sudoers, the command /usr/bin/sudo -u foo /usr/bin/cat /home/foo/bar.txt runs cat as user foo and writes the contents of /home/foo/bar.txt to STDOUT.
      2. In Perl, $text=`/usr/games/fortune -a`; runs /usr/games/fortune -a and collects all text written to STDOUT in $text. See Safe Pipe Opens for a more robust variant.

      Alexander

      --
      Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)
Re: Perl Setuid - Oracle Password Hardcoding
by Anonymous Monk on Nov 16, 2011 at 13:22 UTC
    In most systems, Access Control Lists (ACLs) can be used to specify file-access rules apart from the usual rwxr-x-r-x conventions of Unix.
Calling a setuid script in a perl script
by hmadhi (Acolyte) on Nov 18, 2011 at 16:21 UTC

    I have two perl scripts:

    1. getPwd.pl - setuid perl script that returns a password

    sub getOraPwd{ ... ... return $password; } getOraPwd();

    2. testDBConn.pl

    I want to call getPwd.pl in the testDBConn.pl script and assign the result of the getPwd script to the $password variable to connect to a database. Remember the getPwd.pl script is setuid, and therefore setup for the testDBConn.pl to run getPwd.pl

    eg.

    $username="blah"; $password=result from getPwd.pl $dsn=qq{...}; $dbh=DBI->connect($dsn, $username, $password)};

      In testDBConn.pl:

      # assuming getPwd.pl is in @INC require 'getPwd.pl'; $password = getOraPwd();
      For this to work getPwd.pl will need to return a true value. That's as simple as putting 1; as the last line in the script.

      You might also consider creating a module and use'ing that. This might be helpful in such a venture: Josť's Guide for creating Perl modules

        I assume the OP wants it as an extra suid script because it must read a file the main script has no permissions for, and it makes complete sense to keep the suid portions of a script as small as possible. Making the whole thing a module would defeat this purpose.

        If I understood this correctly, the solution is very easy:

        $password = `getPwd.pl`; chomp $password;

        Apologies, You are correct. However I also needed to know how to pass a value from one script to another. I am indeed now going to use sudo.

        This is the error I get sudo: sorry, you must have a tty to run sudo

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://938318]
Approved by keszler
Front-paged by toolic
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others about the Monastery: (4)
As of 2014-09-20 22:01 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    How do you remember the number of days in each month?











    Results (163 votes), past polls