Beefy Boxes and Bandwidth Generously Provided by pair Networks
laziness, impatience, and hubris
 
PerlMonks  

Re^3: How can a script use a password without making the password visible?

by hippo (Canon)
on Mar 01, 2017 at 15:56 UTC ( #1183296=note: print w/replies, xml ) Need Help??


in reply to Re^2: How can a script use a password without making the password visible?
in thread How can a script use a password without making the password visible?

ok if you can trust root

If you can't trust root then I'd suggest that you have bigger problems than just protecting your config files.

  • Comment on Re^3: How can a script use a password without making the password visible?

Replies are listed 'Best First'.
Re^4: How can a script use a password without making the password visible?
by RonW (Parson) on Mar 03, 2017 at 20:01 UTC
    If you can't trust root then I'd suggest that you have bigger problems than just protecting your config files.

    As I understand it, the SELinux modules can prevent even root from accessing certain files. Of course, then you have to trust your security admin.

      then you have to trust your security admin

      ... and now guess who that might be. ;-)

      But that's not all of the problem. You don't just have to trust root that he is not malicious. You also have to trust root that he is not lazy, uninformed or simply stupid: Imagine a secuity bug in a completely unrelated program running setuid root or a service started as root. A trustworthy root should install the relevant security update; and he should disable that program or service or at least apply a workaround while no update is available. And root should not give out permissions to any user like candy. Imagine a root doing chmod 4755 exe && chown 0:0 exe for any program a student or intern or manager demands that for. Imagine a root allowing anyone to load a new kernel module.

      Update: There are usually more setuid/setgid programs than you might expect. Just for fun, I ran this little script:

      #!/usr/bin/perl use v5.12; use warnings; use autodie qw( :all ); my %seen; my @path=grep { !$seen{$_}++ } split /:/,$ENV{'PATH'}; for my $dirname (@path) { opendir(my $dir,$dirname); while (readdir $dir) { next if -l "$dirname/$_"; next unless -f -x _; (undef,undef,my $mode)=stat _; unless (defined $mode) { warn "Can't stat $dirname/$_: $!\n"; next; } ($mode & 06000) or next; printf("%04o %s\n",($mode & 07777),"$dirname/$_"); } closedir $dir; }

      It found 36 binaries in $ENV{'PATH'} running setuid or setgid on my home server:

      4511 /sbin/mount.nfs 4711 /usr/bin/newuidmap 4755 /usr/bin/pkexec 4711 /usr/bin/newgidmap 4711 /usr/bin/newgrp 2755 /usr/bin/write 2755 /usr/bin/wall 4711 /usr/bin/traceroute6 4755 /usr/bin/cgexec 4711 /usr/bin/crontab 4711 /usr/bin/expiry 4711 /usr/bin/gpasswd 2755 /usr/bin/slocate 2751 /usr/bin/xlock 4750 /usr/bin/fdmount 4711 /usr/bin/chfn 4711 /usr/bin/passwd 4711 /usr/bin/sudo 2755 /usr/bin/lockfile 4711 /usr/bin/chage 4711 /usr/bin/chsh 6755 /usr/bin/procmail 4711 /bin/ping6 4755 /bin/umount 4755 /bin/mount 4711 /bin/ping 4755 /bin/fusermount 4711 /bin/su 4511 /opt/VirtualBox/VirtualBox 4511 /opt/VirtualBox/VBoxVolInfo 4511 /opt/VirtualBox/VBoxSDL 4511 /opt/VirtualBox/VBoxNetAdpCtl 4511 /opt/VirtualBox/VBoxHeadless 4511 /opt/VirtualBox/VBoxNetDHCP 4511 /opt/VirtualBox/VBoxNetNAT 4755 /opt/exim/bin/exim-4.72-1

      I should ask root a.k.a. myself: Do I need all of these? Do all of these have to run setuid? Are there more, in directories outside $ENV{'PATH'}?

      Alexander

      --
      Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)

        And root should not give out permissions to any user like candy.

        I knew someone a user called candy, and they were trustworthy.

        Couldnt help it... ;-P

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://1183296]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others chilling in the Monastery: (8)
As of 2019-06-19 15:11 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?
    Is there a future for codeless software?



    Results (88 votes). Check out past polls.

    Notices?
    • (Sep 10, 2018 at 22:53 UTC) Welcome new users!