One possibility would be to connect from the perl scripts to the application server (even if it's localhost) via Net::SSH as user "secure", using pre-generated key files (see Net::SSH#GENERATING_AND_USING_SSH_KEYS) to avoid having the "secure" user password hardcoded. Issue a command over the SSH connection to read the password file and you're all set.

Learn it. Use it.

And for more information about your non-Perl question, try a Unix forum.

It sounds like the dbas don't want the developer to know the password to Oracle. If they run the script with sudo or setuid or whatever, what would prevent them from just having the code print out the password that was read from the file?

Considering that the OP is talking about an application server, it looks to me this is a standard production security policy, not something to pester developers with. It's not a measure to defend against internal attacks^*, but to prevent escalation after an intrusion. Of course, the script should be non-modifiable.

^*Although with some effort, it can help to protect against insiders wearing a black hat.

True. However we will not have access to the scripts on the production servers. They are rollout using SVN.

Two hints:

1. Given sufficient permissions in /etc/sudoers, the command /usr/bin/sudo -u foo /usr/bin/cat /home/foo/bar.txt runs cat as user foo and writes the contents of /home/foo/bar.txt to STDOUT.
2. In Perl, $text=`/usr/games/fortune -a`; runs /usr/games/fortune -a and collects all text written to STDOUT in $text. See Safe Pipe Opens for a more robust variant.

Alexander

--
Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)

I have two perl scripts:

1. getPwd.pl - setuid perl script that returns a password

sub getOraPwd{
...
...
return $password;


}
getOraPwd();
[download]

2. testDBConn.pl

I want to call getPwd.pl in the testDBConn.pl script and assign the result of the getPwd script to the $password variable to connect to a database. Remember the getPwd.pl script is setuid, and therefore setup for the testDBConn.pl to run getPwd.pl

eg.

$username="blah";
$password=result from getPwd.pl
$dsn=qq{...};
$dbh=DBI->connect($dsn, $username, $password)};
[download]

This is exactly the same problem you have already posted as Perl Setuid - Oracle Password Hardcoding. You were told to use sudo. You were told that this is not a perl problem, but a unix problem.

Why do you start a new thread?

Alexander

--
Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)

Apologies, You are correct. However I also needed to know how to pass a value from one script to another. I am indeed now going to use sudo.

This is the error I get sudo: sorry, you must have a tty to run sudo

In testDBConn.pl:

# assuming getPwd.pl is in @INC
require 'getPwd.pl';
$password = getOraPwd();
[download]

For this to work getPwd.pl will need to return a true value. That's as simple as putting 1; as the last line in the script.

You might also consider creating a module and use'ing that. This might be helpful in such a venture: José's Guide for creating Perl modules

I assume the OP wants it as an extra suid script because it must read a file the main script has no permissions for, and it makes complete sense to keep the suid portions of a script as small as possible. Making the whole thing a module would defeat this purpose.

If I understood this correctly, the solution is very easy:

$password = `getPwd.pl`;
chomp $password;
[download]