how to hide password in perl CGI script?

how to hide password in perl CGI script?

Post by New Use » Fri, 19 Feb 1999 04:00:00



In order for my perl CGI script run correctly, I have to set the mode of
my perl script file readable and executable by others (chmod 705 *.pl).
However, since I need to access my Sybase tables, I need to put my
password and username in the script. Is there any way to protect my
password from being seen by others? Thanks.
 
 
 

how to hide password in perl CGI script?

Post by Michael Pepple » Sat, 20 Feb 1999 04:00:00



> In order for my perl CGI script run correctly, I have to set the mode of
> my perl script file readable and executable by others (chmod 705 *.pl).
> However, since I need to access my Sybase tables, I need to put my
> password and username in the script. Is there any way to protect my
> password from being seen by others? Thanks.

A CGI script only has to be readable by the user that the http daemon runs as.
So I would run the http daemon as 'nobody', and chown your script to user 'nobody',
and chmod it to 500.

That should take care of the problem (at least for those folks on your net that
don't have root access...)

Michael
--
Michael Peppler         -||-  Data Migrations Inc.

Int. Sybase User Group  -||-  http://www.isug.com


 
 
 

how to hide password in perl CGI script?

Post by David Graha » Sat, 20 Feb 1999 04:00:00



> In order for my perl CGI script run correctly, I have to set the mode of
> my perl script file readable and executable by others (chmod 705 *.pl).
> However, since I need to access my Sybase tables, I need to put my
> password and username in the script. Is there any way to protect my
> password from being seen by others? Thanks.

Here's what I do:

These lines in the perl script:
# Read in the data/user/password/server info

A file in the cgi-bin directory, named .auth, chmod 400, containing 1
line:
DBI:Sybase:/username/password/Sybase/dummy

The script reads in the contents of the file, and splits it into an

These lines in the script to make the connection:
# Connect to the server.
$dbh = DBI->connect($Cn[0], $Cn[1], $Cn[2], $Cn[3])
  or die "$DBI::errstr";

This provides the field variables to make the Sybase connection, but the
username/password do not appear in the script itself.  The file with
that information is read-only, accessible only to its owner (me).
That's about as secure as I can make it.

The "dummy" field is only there to ensure the field ahead of it is split
out correctly.  I had trouble with that at the point of connection.
Someday I will go back and figure out the problem.

Any comments?  Particularly, if someone sees a big gaping hole in this,
I would *greatly* *appreciate* finding out.

Thanks,

David Graham

 
 
 

how to hide password in perl CGI script?

Post by Michael Pepple » Sat, 20 Feb 1999 04:00:00




> > In order for my perl CGI script run correctly, I have to set the mode of
> > my perl script file readable and executable by others (chmod 705 *.pl).
> > However, since I need to access my Sybase tables, I need to put my
> > password and username in the script. Is there any way to protect my
> > password from being seen by others? Thanks.

> Here's what I do:

> These lines in the perl script:
> # Read in the data/user/password/server info

> A file in the cgi-bin directory, named .auth, chmod 400, containing 1
> line:
> DBI:Sybase:/username/password/Sybase/dummy

> The script reads in the contents of the file, and splits it into an
> array of:

> These lines in the script to make the connection:
> # Connect to the server.
> $dbh = DBI->connect($Cn[0], $Cn[1], $Cn[2], $Cn[3])
>   or die "$DBI::errstr";

Your $Cn[3] parameter is invalid. The fourth param to DBI->connect() should
be a hash ref. This lets you set global connection attributes such as
RaiseError and PrintError.

Michael
--
Michael Peppler         -||-  Data Migrations Inc.

Int. Sybase User Group  -||-  http://www.isug.com

 
 
 

how to hide password in perl CGI script?

Post by Abiga » Mon, 22 Feb 1999 04:00:00



<URL::">
++
++
++ >
++ > In order for my perl CGI script run correctly, I have to set the mode of
++ > my perl script file readable and executable by others (chmod 705 *.pl).
++ > However, since I need to access my Sybase tables, I need to put my
++ > password and username in the script. Is there any way to protect my
++ > password from being seen by others? Thanks.
++
++ Here's what I do:
++
++ These lines in the perl script:
++ # Read in the data/user/password/server info

++
++ A file in the cgi-bin directory, named .auth, chmod 400, containing 1
++ line:
++ DBI:Sybase:/username/password/Sybase/dummy
++
++ The script reads in the contents of the file, and splits it into an
++ array of:

++
++ These lines in the script to make the connection:
++ # Connect to the server.
++ $dbh = DBI->connect($Cn[0], $Cn[1], $Cn[2], $Cn[3])
++   or die "$DBI::errstr";
++
++ This provides the field variables to make the Sybase connection, but the
++ username/password do not appear in the script itself.  The file with
++ that information is read-only, accessible only to its owner (me).
++ That's about as secure as I can make it.
++
++ The "dummy" field is only there to ensure the field ahead of it is split
++ out correctly.  I had trouble with that at the point of connection.
++ Someday I will go back and figure out the problem.
++
++ Any comments?  Particularly, if someone sees a big gaping hole in this,
++ I would *greatly* *appreciate* finding out.

Easy. Two problems.
 - If "New User" could create files with permission 400 and ownership of
   the uid the script runs under (the uid of the webserver), he could have
   made the script 500 and owned by the uid of the webserver, and not
   have the problem at all.
 - Since he can't create files owned by the same uid as the webserver runs
   under, he's very likely to be "just another user" on said machine. Hence,
   it's very likely others can create CGI programs as well. When executed
   by the webserver, said CGI programs can read the .auth file as well.

Basically, what "New User" needs to do is take his script to a server
he and people he trusts have access to.

Followups set, as this hasn't anything to do with Sybase.

Abigail