Home page logo
/

basics logo Security Basics mailing list archives

RE: [Suspected Spam]Re: script credentials
From: "Ian Bradshaw" <ian () ianbradshaw net>
Date: Thu, 15 Apr 2010 16:49:55 +0100

Presuming the server is secure restricted access and the objective is for
simplicity rather than security, I'd stick them in the perl file.

For future convenience, I've got a database module I wrote so when it's
being used by multiple scripts at once etc or developing different scripts I
can just call it ... depends how much coding your doing.

Your not going to be able to hide the password apart from at OS level privs.

#!/usr/bin/perl

package IB_Database;

return 1;

sub MySQL {

  use DBI;

  # MySQL CONFIG VARIABLES
  $driver = "mysql"; 
  $database = "tablespace";
  $dsn = "DBI:$driver:database=$database";
  $userid = "username";
  $password = "password";
  
  $dbh = DBI->connect($dsn, $userid, $password, {AutoCommit => 0} ) or die
$DBI::errstr;
  
  return($dbh);

}

Just call it with 

use IB_Database;

($dbh) = IB_Database::MySQL;


The advantage of that is whenever you do a script in the future you know
where all the config stuff is, and also anyone else that has to mess with
it; and if you change DBs just have sub Oracle, sub whatever ... so you can
keep it common between all your stuff.

I also do one along the same lines for other config variables that need
setting ... theres no template I've got for them, but they all sit in an
IB_Settings.pm file so I know in the future if I'm moving servers or
whatever that all specific settings / paths / whatever are in the one config
file no matter what my script / app is doing.

Dunno if thats the sort of thing you were after or a more security
perspective, to which the short answer is there isn't really in Perl for
storing users / passwords ... needs doing at OS level.

Cheers

I.

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of NM Support [NetMonastery]
Sent: 14 April 2010 18:21
To: Bryce Verdier
Cc: security-basics () securityfocus com
Subject: [Suspected Spam]Re: script credentials

Bryce,

Frankly, your options are extremely limited, so here goes. Embed the  
password in the perl file, harden the directory around it. Execute the  
script from crontab using root privileges. However, this is a serious  
challenge, for cron to execute.

Shomiron


NM Support [NetMonastery]
nmsupport () net-mon net



On 19-Feb-10, at 11:30 PM, Bryce Verdier wrote:

Hello,

So I've been writing a Perl script for my job. The script will be  
run from a cron job (interval not yet set) and deposit some  
information to a database. The database has a user with minimal  
rights to insert data.

So my question is with regards to how should the database user  
credentials be kept. So far the discussion has had three options:

1) credentials within the script
2) command line
3) config file

Each one has their own advantages & disadvantages but I would like  
to get the opinion of the community as to which one gets the label  
of "best practices".

Thanks in advance guys,

Bryce

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs  
an SSL certificate.  We look at how SSL works, how it benefits your  
company and how your customers can tell if a site is secure. You  
will find out how to test, purchase, install and use a thawte  
Digital Certificate on your Apache web server. Throughout, best  
practices for set-up are highlighted to help you ensure efficient  
ongoing management of your encryption keys and digital certificates.


http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727
d1
------------------------------------------------------------------------



------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL
certificate.  We look at how SSL works, how it benefits your company and how
your customers can tell if a site is secure. You will find out how to test,
purchase, install and use a thawte Digital Certificate on your Apache web
server. Throughout, best practices for set-up are highlighted to help you
ensure efficient ongoing management of your encryption keys and digital
certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727
d1
------------------------------------------------------------------------


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault