Beefy Boxes and Bandwidth Generously Provided by pair Networks
Welcome to the Monastery

Re: Perl Setuid - Oracle Password Hardcoding

by JavaFan (Canon)
on Nov 16, 2011 at 07:25 UTC ( #938326=note: print w/replies, xml ) Need Help??

in reply to Perl Setuid - Oracle Password Hardcoding

sudo was developed more than 3 decades ago to solve problems like that.

Learn it. Use it.

And for more information about your non-Perl question, try a Unix forum.

Replies are listed 'Best First'.
Re^2: Perl Setuid - Oracle Password Hardcoding
by zekeb (Initiate) on Nov 17, 2011 at 00:15 UTC
    It sounds like the dbas don't want the developer to know the password to Oracle. If they run the script with sudo or setuid or whatever, what would prevent them from just having the code print out the password that was read from the file?
      Considering that the OP is talking about an application server, it looks to me this is a standard production security policy, not something to pester developers with. It's not a measure to defend against internal attacks*, but to prevent escalation after an intrusion. Of course, the script should be non-modifiable.

      *Although with some effort, it can help to protect against insiders wearing a black hat.

      True. However we will not have access to the scripts on the production servers. They are rollout using SVN.

Re^2: Perl Setuid - Oracle Password Hardcoding
by afoken (Monsignor) on Nov 19, 2011 at 08:44 UTC

    Two hints:

    1. Given sufficient permissions in /etc/sudoers, the command /usr/bin/sudo -u foo /usr/bin/cat /home/foo/bar.txt runs cat as user foo and writes the contents of /home/foo/bar.txt to STDOUT.
    2. In Perl, $text=`/usr/games/fortune -a`; runs /usr/games/fortune -a and collects all text written to STDOUT in $text. See Safe Pipe Opens for a more robust variant.


    Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://938326]
[Corion]: haukex: Yes, that approach is sane, and it heals the fragility of Pod parsers in a nice way while still syntax-checking stuff
[choroba]: Unfortunately, none of it is online
[haukex]: I figured that POD tests make sense, but only as author tests
[choroba]: I mean, the slides are, but not the makefile with scripts to create them
[Corion]: haukex: I've only now arrived at that revelation ;)
[Corion]: choroba: I use spod5, which also has that support, and also implements its own kinda-make stuff
[haukex]: But that module I just linked to assumes that most verbatim blocks are runnable code, I have other modules where that's not the case, so there I just copy-and-paste the synopsis into the author tests...
[haukex]: not the most efficient, but then again, I don't have that many modules on CPAN :-)
[Corion]: haukex: Yes, but if it's only supposed to run on my machine, I can be far more liberal with how I extract the code etc.
[Corion]: haukex: Yes - I see the benefit of using Dist::Zilla for people with 150+ modules on CPAN, but I don't see it for myself, and I'm always put off from contributing to such modules because they require a lot of toolchain setup that I don't want to ...

How do I use this? | Other CB clients
Other Users?
Others imbibing at the Monastery: (11)
As of 2017-02-27 12:29 GMT
Find Nodes?
    Voting Booth?
    Before electricity was invented, what was the Electric Eel called?

    Results (385 votes). Check out past polls.