Re: Perl Setuid - Oracle Password Hardcoding
by keszler (Priest) on Nov 16, 2011 at 06:55 UTC
|
One possibility would be to connect from the perl scripts to the application server (even if it's localhost) via Net::SSH as user "secure", using pre-generated key files (see Net::SSH#GENERATING_AND_USING_SSH_KEYS) to avoid having the "secure" user password hardcoded. Issue a command over the SSH connection to read the password file and you're all set.
| [reply] |
Re: Perl Setuid - Oracle Password Hardcoding
by JavaFan (Canon) on Nov 16, 2011 at 07:25 UTC
|
sudo was developed more than 3 decades ago to solve problems like that.
Learn it. Use it.
And for more information about your non-Perl question, try a Unix forum. | [reply] [d/l] |
|
It sounds like the dbas don't want the developer to know the password to Oracle.
If they run the script with sudo or setuid or whatever, what would prevent them from just having the code print out the password that was read from the file?
| [reply] |
|
| [reply] |
|
| [reply] |
|
| [reply] [d/l] [select] |
Re: Perl Setuid - Oracle Password Hardcoding
by Anonymous Monk on Nov 16, 2011 at 13:22 UTC
|
In most systems, Access Control Lists (ACLs) can be used to specify file-access rules apart from the usual rwxr-x-r-x conventions of Unix. | [reply] |
Calling a setuid script in a perl script
by hmadhi (Acolyte) on Nov 18, 2011 at 16:21 UTC
|
sub getOraPwd{
...
...
return $password;
}
getOraPwd();
2. testDBConn.pl
I want to call getPwd.pl in the testDBConn.pl script and assign the result of the getPwd script to the $password variable to connect to a database. Remember the getPwd.pl script is setuid, and therefore setup for the testDBConn.pl to run getPwd.pl
eg.
$username="blah";
$password=result from getPwd.pl
$dsn=qq{...};
$dbh=DBI->connect($dsn, $username, $password)};
| [reply] [d/l] [select] |
|
| [reply] |
|
Apologies, You are correct. However I also needed to know how to pass a value from one script to another. I am indeed now going to use sudo.
This is the error I get sudo: sorry, you must have a tty to run sudo
| [reply] |
|
|
|
|
# assuming getPwd.pl is in @INC
require 'getPwd.pl';
$password = getOraPwd();
For this to work getPwd.pl will need to return a true value. That's as simple as putting 1; as the last line in the script.
You might also consider creating a module and use'ing that. This might be helpful in such a venture: José's Guide for creating Perl modules
| [reply] [d/l] [select] |
|
I assume the OP wants it as an extra suid script because it must read a file the main script has no permissions for, and it makes complete sense to keep the suid portions of a script as small as possible. Making the whole thing a module would defeat this purpose.
If I understood this correctly, the solution is very easy:
$password = `getPwd.pl`;
chomp $password;
| [reply] [d/l] |