http://www.perlmonks.org?node_id=1183262


in reply to How can a script use a password without making the password visible?

Take your pick but bear in mind that most of these have security concerns depending on who has access to what.

Also be aware that any coder working on a script can have it output any data from the script in any form (save to a file, email it, FTP it, whatever) so you have to trust the coder at some level.

Addendum: Also consider the related FAQ

  • Comment on Re: How can a script use a password without making the password visible?

Replies are listed 'Best First'.
Re^2: How can a script use a password without making the password visible?
by afoken (Abbot) on Mar 01, 2017 at 15:26 UTC
    Environment variables

    Insecure. See Re^2: exec, echo and pipe and below.

    Per-user config files

    With chmod 0600, ok if you can trust root and the filesystem containing the configuration file is not exposed to other machines (e.g. via NFS or Samba). Insecure if running on a shared hosting webserver, where all code runs using the same user account.

    Command-line switches

    Insecure. See Re^2: exec, echo and pipe and below.

    Prompt the user at run-time (ie. STDIN)

    Won't work in a web environment.

    Alexander

    --
    Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)
      ok if you can trust root

      If you can't trust root then I'd suggest that you have bigger problems than just protecting your config files.

        If you can't trust root then I'd suggest that you have bigger problems than just protecting your config files.

        As I understand it, the SELinux modules can prevent even root from accessing certain files. Of course, then you have to trust your security admin.