[24911] in Perl-Users-Digest
Perl-Users Digest, Issue: 7161 Volume: 10
daemon@ATHENA.MIT.EDU (Perl-Users Digest)
Tue Sep 21 21:33:23 2004
Date: Tue, 21 Sep 2004 18:32:00 -0700 (PDT)
From: Perl-Users Digest <Perl-Users-Request@ruby.OCE.ORST.EDU>
To: Perl-Users@ruby.OCE.ORST.EDU (Perl-Users Digest)
Perl-Users Digest Tue, 21 Sep 2004 Volume: 10 Number: 7161
Today's topics:
pp failing <iss025@bangor.ac.uk>
Re: pp failing <Graham.T.Wood@oracle.com>
Re: problem fetching *only one* value. (Nitin)
Re: problem fetching *only one* value. <see@sig.invalid>
Re: problem fetching *only one* value. <Joe.Smith@inwap.com>
problem with Net::SSH::W32Perl; (Mike Solomon)
Re: problem with Net::SSH::W32Perl; (Mike Solomon)
problem with sysopen() on nfs <bik.mido@tiscalinet.it>
Re: problem with sysopen() on nfs <Joe.Smith@inwap.com>
Re: problem with sysopen() on nfs <bik.mido@tiscalinet.it>
Re: Protecting passwords in Perl scripts? <bik.mido@tiscalinet.it>
Re: Protecting passwords in Perl scripts? <mshelor@comcast.removeme.net>
Re: Protecting passwords in Perl scripts? ctcgag@hotmail.com
Re: Protecting passwords in Perl scripts? <usenet@morrow.me.uk>
Re: Protecting passwords in Perl scripts? <Joe.Smith@inwap.com>
Re: Protecting passwords in Perl scripts? <sppNOSPAM@monaco377.com>
Re: Protecting passwords in Perl scripts? <gifford@umich.edu>
Re: rand() question <ian.sedwell@btclick.com>
Re: rand() question <mritty@gmail.com>
Digest Administrivia (Last modified: 6 Apr 01) (Perl-Users-Digest Admin)
----------------------------------------------------------------------
Date: Mon, 20 Sep 2004 19:26:47 +0100
From: "P.R.Brady" <iss025@bangor.ac.uk>
Subject: pp failing
Message-Id: <414F20E7.5000407@bangor.ac.uk>
I'm trying to generate a self-contained executable with pp but it is
fighting back and I think I have a major misunderstanding somewhere!
I gather that pp is part of PAR so I installed PAR first. Seemed to
install okay so I started with a really easy first example:
use warnings;
use strict;
print "hello\n";
perldoc pp seems to suggest that all I do is:
pp test.pl
but sadly it fails.
Would someone out there help with my understanding please?
1. In perldoc pp the examples have prompts which are either % and $.
The $ look like the command interpreter, but what's the % ? I'm issuing
the pp at the command prompt.
2. The -log feature of pp doesn't work:
pp test.pl -log test.log does not log, and redirection fails too:
pp test.pl>test.log
3. so hence I'll have to copy by hand:
pp test.pl responds:
------------------------------------------------------
Compress::Zlib object version 1.22 does not match bootstrap parameter
1.16 at /loader/0x8b08b8/DynaLoader.pm line 225
Compilation failed in require at /loader/0x8b08b8/Archive/Zip.pm line 24
BEGIN failed - compilation aborted at /loader/0x8b08b8/Archive/Zip.pm
line 24
Compilation failed in require in par.pl line 255
----------------------------------------------------
A ppm query Compress.Zlib confirms that the version is 1.22
Verify PAR confirms PAR is up to date, but remains mute when
I ask about Compress.Zlib.
verify --upgrade Compress.Zlib has not fixed it.
What might I be doing wrong?
Version of perl is v5.6.1 with one locally built patch 638 and I'm
running under Win XP.
Regards
Phil
------------------------------
Date: Tue, 21 Sep 2004 16:56:18 +0100
From: Graham Wood <Graham.T.Wood@oracle.com>
Subject: Re: pp failing
Message-Id: <41504F22.B03A303E@oracle.com>
"P.R.Brady" wrote:
>
> I'm trying to generate a self-contained executable with pp but it is
> fighting back and I think I have a major misunderstanding somewhere!
I had lots of headaches getting pp to work. Your problem is that your
Compress::Zlib is newer than your PAR install. You can get the older
one by installing an older build of perl (I think Activestate build 635
is where I was told to get this version of Compress::Zlib).
When I finally got mine to work I ended up reinstalling perl
(Activestate build 638 of 5.6.1), set the HTTP_proxy environment
variable so that ppm ran properly then reinstalled PAR using my new
working ppm. According to the docs (and my experience) not setting
HTTP_proxy is one of the most common reasons for difficulties using
ppm. Installing PAR properly with your ppm not working properly is
painful.
Hope this helps.
Graham
------------------------------
Date: 18 Sep 2004 09:37:01 -0700
From: nitin.thakur@ubs.com (Nitin)
Subject: Re: problem fetching *only one* value.
Message-Id: <ff21db84.0409180837.3047611b@posting.google.com>
Hi Jim,
Thanks, that = was an oversight i guess :-| But, even now my code
validates me every time, evenif my name is not in the specified table.
Now the code looks like this: -
--------------------------------------------------------------
#!/sbcimp/run/pd/perl/prod/bin/perl -w
use CGI qw/:all/;
use CGI::Carp qw/fatalsToBrowser/;
use DBI;
use strict;
my $USERID = $ENV_ID;
my $wobj = new CGI;
print $wobj->header();
print $wobj->start_html();
DBI->trace(1);
print $wobj->hr;
my $dbh = DBI->connect('DBI:Oracle:xyz', 'abc', 'fgh') || die
"Database connection not possible: $DBI::errstr";
my $sth = $dbh->prepare("SELECT LOGIN_ID FROM ADMINS WHERE LOGIN_ID =
'$USERID'") || die '$DBI::errstr';
$sth->execute() || die '$DBI::errstr';
my @row = $sth->fetchrow_array();
my $login_id = $row[0];
if ($login_id eq $USERID) {
print '<H1>You are an admin</H1>';
print '<hr>';
} else {
print '<H2>You are not an admins</H2>';
}
$dbh->disconnect();
print $wobj->end_html;
--------------------------------------------------------------
Not sure what is the problem now. Would appreciate your reply.
Thanks in advance.
Nitin
{PS: I have tried all the three options which you specified
previously.)
------------------------------
Date: Sat, 18 Sep 2004 14:10:14 -0400
From: Bob Walton <see@sig.invalid>
Subject: Re: problem fetching *only one* value.
Message-Id: <414C7A06.8060303@sig.invalid>
Nitin wrote:
...
> Thanks, that = was an oversight i guess :-| But, even now my code
> validates me every time, evenif my name is not in the specified table.
> Now the code looks like this: -
> --------------------------------------------------------------
> #!/sbcimp/run/pd/perl/prod/bin/perl -w
> use CGI qw/:all/;
> use CGI::Carp qw/fatalsToBrowser/;
> use DBI;
> use strict;
> my $USERID = $ENV_ID;
---------------^^^^^^^
This doesn't compile because this variable is undeclared and strict is
in effect. What was your real code?
> my $wobj = new CGI;
> print $wobj->header();
> print $wobj->start_html();
> DBI->trace(1);
> print $wobj->hr;
> my $dbh = DBI->connect('DBI:Oracle:xyz', 'abc', 'fgh') || die
> "Database connection not possible: $DBI::errstr";
> my $sth = $dbh->prepare("SELECT LOGIN_ID FROM ADMINS WHERE LOGIN_ID =
> '$USERID'") || die '$DBI::errstr';
---------------------^------------^
If this dies, you will get the literal error message $DBI::errstr . You
want to use "...." for variable interpolation.
> $sth->execute() || die '$DBI::errstr';
-------------------------^------------^
Ditto
> my @row = $sth->fetchrow_array();
You should test to see if any results were returned. If not, and
$USERID was undef (as it would have been if strict would have been
omitted), then you would get the result you observed.
> my $login_id = $row[0];
> if ($login_id eq $USERID) {
> print '<H1>You are an admin</H1>';
> print '<hr>';
> } else {
> print '<H2>You are not an admins</H2>';
> }
> $dbh->disconnect();
> print $wobj->end_html;
> --------------------------------------------------------------
...
> Nitin
...
--
Bob Walton
Email: http://bwalton.com/cgi-bin/emailbob.pl
------------------------------
Date: Sun, 19 Sep 2004 04:06:52 GMT
From: Joe Smith <Joe.Smith@inwap.com>
Subject: Re: problem fetching *only one* value.
Message-Id: <wB73d.216381$Fg5.182663@attbi_s53>
Nitin wrote:
> my $USERID = $ENV_ID;
That sets $USERID to undef.
> my $login_id = $row[0];
You're not testing to see if fetchrow_array was successfull,
so that value could easily be undef.
> if ($login_id eq $USERID) {
> print '<H1>You are an admin</H1>';
if ($login_id) {
print "<H1>You are logged in as $login_id</H1>\n";
} else {
print "<H2>Invalid attempt to use '$login_id' as login id<H2>\n";
}
-Joe
------------------------------
Date: 20 Sep 2004 06:07:26 -0700
From: mike_solomon@lineone.net (Mike Solomon)
Subject: problem with Net::SSH::W32Perl;
Message-Id: <56568be5.0409200507.1033d5fd@posting.google.com>
I am trying to use Net::SSH::W32Perl;
I wrote the following test script
use strict;
my $host = 'myhost';
my $user = 'user';
my $pass = 'password';
my $cmd = 'ls';
use Net::SSH::W32Perl;
my ($ssh, $out, $err, $exit);
my %args;
$args{debug} = 1;
$args{protocol} = 2;
$ssh = new Net::SSH::W32Perl($host, %args);
$ssh->login($user, $pass);
($out, $err, $exit) = $ssh->cmd("ls");
print "OUT: [$out]\n";
print "ERR: [$err]\n";
print "EXIT: [$exit]\n";
the screen gives the following output then hangs
mjstecra: Reading configuration data /.ssh/config
mjstecra: Reading configuration data /etc/ssh_config
mjstecra: Connecting to myhost, port 22.
mjstecra: Socket created, turning on blocking...
mjstecra: Remote protocol version 1.99, remote software version
OpenSSH_3.5p1 FreeBSD-20030201
mjstecra: Net::SSH::Perl Version 1.25, protocol version 2.0.
mjstecra: No compat match: OpenSSH_3.5p1 FreeBSD-20030201.
mjstecra: Connection established.
mjstecra: Sent key-exchange init (KEXINIT), wait response.
mjstecra: Algorithms, c->s: 3des-cbc hmac-sha1 none
mjstecra: Algorithms, s->c: 3des-cbc hmac-sha1 none
mjstecra: Entering Diffie-Hellman Group 1 key exchange.
mjstecra: Sent DH public key, waiting for reply.
mjstecra: Received host key, type 'ssh-dss'.
mjstecra: Host 'newred.gradwell.net' is known and matches the host
key.
mjstecra: Computing shared secret key.
mjstecra: Verifying server signature.
mjstecra: Waiting for NEWKEYS message.
mjstecra: Enabling incoming encryption/MAC/compression.
mjstecra: Send NEWKEYS, enable outgoing encryption/MAC/compression.
mjstecra: Sending request for user-authentication service.
mjstecra: Service accepted: ssh-userauth.
mjstecra: Trying empty user-authentication request.
mjstecra: Authentication methods that can continue:
publickey,password,keyboard-interactive.
mjstecra: Next method to try is publickey.
mjstecra: Next method to try is password.
mjstecra: Trying password authentication.
mjstecra: Login completed, opening dummy shell channel.
mjstecra: channel 0: new [client-session]
mjstecra: Requesting channel_open for channel 0.
mjstecra: channel 0: open confirm rwindow 0 rmax 32768
mjstecra: Got channel open confirmation, requesting shell.
mjstecra: Requesting service shell on channel 0.
mjstecra: channel 1: new [client-session]
mjstecra: Requesting channel_open for channel 1.
mjstecra: Entering interactive session.
mjstecra: Sending command: ls
mjstecra: Requesting service exec on channel 1.
mjstecra: channel 1: send eof
mjstecra: channel 1: open confirm rwindow 131070 rmax 32768
mjstecra: input_channel_request: rtype exit-status reply 0
mjstecra: channel 1: rcvd eof
mjstecra: channel 1: output open -> drain
mjstecra: channel 1: rcvd close
Has anyone got any idea how I can make this work
------------------------------
Date: 21 Sep 2004 01:35:22 -0700
From: mike_solomon@lineone.net (Mike Solomon)
Subject: Re: problem with Net::SSH::W32Perl;
Message-Id: <56568be5.0409210035.7cdc05a0@posting.google.com>
mike_solomon@lineone.net (Mike Solomon) wrote in message news:<56568be5.0409200507.1033d5fd@posting.google.com>...
> I am trying to use Net::SSH::W32Perl;
>
> I wrote the following test script
>
> use strict;
>
> my $host = 'myhost';
> my $user = 'user';
> my $pass = 'password';
> my $cmd = 'ls';
>
> use Net::SSH::W32Perl;
>
> my ($ssh, $out, $err, $exit);
>
> my %args;
> $args{debug} = 1;
> $args{protocol} = 2;
>
> $ssh = new Net::SSH::W32Perl($host, %args);
> $ssh->login($user, $pass);
>
> ($out, $err, $exit) = $ssh->cmd("ls");
>
> print "OUT: [$out]\n";
> print "ERR: [$err]\n";
> print "EXIT: [$exit]\n";
>
> the screen gives the following output then hangs
>
snip
I solved it
Doing a bit of research I found that the command needs a "\n" and
mustnt put any out put to screen
so the following works
my $host = 'myhost';
my $user = 'user';
my $pass = 'password';
use Net::SSH::W32Perl;
my ($ssh, $out, $err, $exit);
my %args;
$args{debug} = 1;
$args{protocol} = 2;
$ssh = new Net::SSH::W32Perl($host, %args);
$ssh->login($user, $pass);
($out, $err, $exit) = $ssh->cmd('ls > mike.txt',"\n");
------------------------------
Date: Sat, 18 Sep 2004 22:45:11 +0200
From: Michele Dondi <bik.mido@tiscalinet.it>
Subject: problem with sysopen() on nfs
Message-Id: <dv2pk0l76cj7u2q996d5mgmdiqtq8q2seu@4ax.com>
I want to implement a locking system for a script that shouldn't allow
more than one instance on each machine of a cluster by means of a
lockfile. The relevant code snippet is:
my $lockfile = "$lockdir/$pfx-$host";
sysopen my $lock, $lockfile, O_CREAT | O_EXCL
or die "$0 already running on $host";
Now I'm aware that file operations on nfs are not atomic, but this is
not a big issue since *in this case* the probability of collisions if
ridiculously small.
However it seems that I have another problem, and a more serious one.
Namely the lockfile is actually created in the specified directory,
but it is named .nfs* (I mean, it matches that wildcard...)
Am I missing something obvious? Any workaround/alternative strategy?
TIA
Michele
--
{$_=pack'B8'x25,unpack'A8'x32,$a^=sub{pop^pop}->(map substr
(($a||=join'',map--$|x$_,(unpack'w',unpack'u','G^<R<Y]*YB='
.'KYU;*EVH[.FHF2W+#"\Z*5TI/ER<Z`S(G.DZZ9OX0Z')=~/./g)x2,$_,
256),7,249);s/[^\w,]/ /g;$ \=/^J/?$/:"\r";print,redo}#JAPH,
------------------------------
Date: Sun, 19 Sep 2004 03:57:19 GMT
From: Joe Smith <Joe.Smith@inwap.com>
Subject: Re: problem with sysopen() on nfs
Message-Id: <zs73d.327804$8_6.179931@attbi_s04>
Michele Dondi wrote:
> However it seems that I have another problem, and a more serious one.
> Namely the lockfile is actually created in the specified directory,
> but it is named .nfs* (I mean, it matches that wildcard...)
>
> Am I missing something obvious? Any workaround/alternative strategy?
The workaround is to not delete the file while it is open for reading.
When a local file is openned for reading, and it then deleted (unlinked),
the file is still there even though it does not have a directory entry.
So the process that openned the file can continue reading this now
nameless file.
When a file on an NFS mount is openned for reading, and then is deleted
on the NFS client, the client tells the NFS server to rename the file
to be .nfs{something}, so it can still be read on the client.
To avoid the symptoms you're seeing, just be sure to close all open
file handles that reference the lockfile before deleting the lockfile.
-Joe
------------------------------
Date: Sun, 19 Sep 2004 17:42:27 +0200
From: Michele Dondi <bik.mido@tiscalinet.it>
Subject: Re: problem with sysopen() on nfs
Message-Id: <a2hqk0h960gbn778htmu42roankpqpmrd8@4ax.com>
On Sun, 19 Sep 2004 03:57:19 GMT, Joe Smith <Joe.Smith@inwap.com>
wrote:
>> Am I missing something obvious? Any workaround/alternative strategy?
>
>The workaround is to not delete the file while it is open for reading.
Huh?!? I don't *think* I'm deleting it anywhere. Granted, I've set a
pair of signal handlers and an END block in which I do delete it
(before closing it). But they shouldn't have been called at all...
[snip explanation]
>To avoid the symptoms you're seeing, just be sure to close all open
>file handles that reference the lockfile before deleting the lockfile.
D'Oh! Now that I think of it I make my program C<fork and exit> to go
in bg, so the END block *is* executed. I'll have to change the logic
of the script.
TY,
Michele
--
{$_=pack'B8'x25,unpack'A8'x32,$a^=sub{pop^pop}->(map substr
(($a||=join'',map--$|x$_,(unpack'w',unpack'u','G^<R<Y]*YB='
.'KYU;*EVH[.FHF2W+#"\Z*5TI/ER<Z`S(G.DZZ9OX0Z')=~/./g)x2,$_,
256),7,249);s/[^\w,]/ /g;$ \=/^J/?$/:"\r";print,redo}#JAPH,
------------------------------
Date: Sat, 18 Sep 2004 14:43:13 +0200
From: Michele Dondi <bik.mido@tiscalinet.it>
Subject: Re: Protecting passwords in Perl scripts?
Message-Id: <olrnk0ltlj36erd14a180ij5967jc789lk@4ax.com>
On 17 Sep 2004 17:14:37 -0700, IneverReadAnythingSentToMe@hotmail.com
(David Filmer) wrote:
>> But I think the OP may find interesting the article "Password
>> Authentication with Insecure Communication", by Leslie Lamport.
>
>Dr. Lamport is a researcher with Micro$oft (but I won't hold that
>against him - the guy is brilliant, so there is at least one really
>smart guy working at Micro$oft). He kindly makes many of his writings
He's also pioneered and thus made available to us LaTeX, although
AFAICT he's no more involved with it apart, possibly, for the rights
of the book ;-)
IIRC he was at DEC way back then.
>available to the public at
>http://research.microsoft.com/users/lamport/pubs/pubs.html.
Good to know.
>This paper is interesting, but it is confined to the problem of
>password eavesdropping. I don't think the idea he proposes (using
>one-time passwords in sequence) applies to this problem.
I think so too. This is why I marked my cmt as OT. More precisely it
only *marginally* applies to this problem in that it allowes users to
log in securely over a net whose traffic can be seen by an intruder
*and* it doesn't require storing secret keys either on the client or
the server. The user still have to choose and memorize a "starting"
pw, so that indeed we're stuck back at the same point...
Michele
--
{$_=pack'B8'x25,unpack'A8'x32,$a^=sub{pop^pop}->(map substr
(($a||=join'',map--$|x$_,(unpack'w',unpack'u','G^<R<Y]*YB='
.'KYU;*EVH[.FHF2W+#"\Z*5TI/ER<Z`S(G.DZZ9OX0Z')=~/./g)x2,$_,
256),7,249);s/[^\w,]/ /g;$ \=/^J/?$/:"\r";print,redo}#JAPH,
------------------------------
Date: Sat, 18 Sep 2004 09:23:37 -0700
From: Mark Shelor <mshelor@comcast.removeme.net>
Subject: Re: Protecting passwords in Perl scripts?
Message-Id: <S_WdnRGelOuT_NHcRVn-vA@comcast.com>
David Filmer wrote:
> I have (for example) a Perl script that connects to a database (or FTP site,
> etc). The database (or ftp) password is either hard-coded (in clear text) in
> the script or contained in an external configuration file (which must be
> readable by the effective uid of the script).
>
> Someone who was able to browse the code could easily determine the password.
> That's a Bad Thing.
>
> I could trivially obfuscate it (rot13, etc) but that would only thwart the
> truly ignorant. The password could be symmetrically encrypted, but the
> script somehow needs to determine the encryption key (and the idly curious
> could determine this as well by reading the code).
>
> How can I shield the database (ftp, etc) password from prying eyes?
I've written and maintained many such scripts, so this is a topic of
personal interest. I believe I've finally settled on an "optimal"
approach, though individual tastes will certainly vary.
There are several possible techniques. Each has its own advantages and
disadvantages, depending on the threat(s) you envisage. But, under
normal circumstances, I'd simply recommend your second option: moving
the passwords to a configuration file, and reading them into the script
at runtime.
Don't bother with encryption or set-id's, at least not initially. They
make software a pain to use and modify, and are likely not appropriate
to the actual threats you face. By moving the passwords to a
configuration file, you solve 90% of the problem: namely, you can now
copy your scripts anywhere or share them with anyone, and cut-and-paste
from them freely without compromising your security.
However, if other users can browse your directories and read your files
at will, then you have a problem. Simply protect your configuration
files from access by others, and you've eliminated most of the
reasonable threats.
That said, if the threats are more dire, I'd recommend encrypting the
configuration files with GnuPG, and then decrypting/re-encrypting them
within your scripts via the --use-agent option. This necessitates
running gpg-agent as a daemon to automate the passphrase handling. Once
you get things set up, this approach is _very_ secure and fairly easy
to maintain. But it's probably overkill for what you're doing.
Or, you can rig up a quick-and-dirty "password safe" in Perl using a
hash tie'ed to a DB_File. There are many ways to obfuscate the contents
of the safe so that running "strings" on the db file won't reveal the
passwords. Still, unlike GnuPG, it won't foil the determined intruder.
Regards, Mark
------------------------------
Date: 19 Sep 2004 05:05:01 GMT
From: ctcgag@hotmail.com
Subject: Re: Protecting passwords in Perl scripts?
Message-Id: <20040919010501.384$RH@newsreader.com>
"David Filmer" <ineverreadanythingsenttome@hotmail.com> wrote:
> I have (for example) a Perl script that connects to a database (or FTP
> site, etc). The database (or ftp) password is either hard-coded (in clear
> text) in the script or contained in an external configuration file (which
> must be readable by the effective uid of the script).
>
> Someone who was able to browse the code could easily determine the
> password. That's a Bad Thing.
So don't let them browse your code!
> I could trivially obfuscate it (rot13, etc) but that would only thwart
> the truly ignorant. The password could be symmetrically encrypted, but
> the script somehow needs to determine the encryption key (and the idly
> curious could determine this as well by reading the code).
So don't let them browse your code!
> How can I shield the database (ftp, etc) password from prying eyes?
Shield it from prying eyes while still allowing......what?
other people to look at the code?
other people to meaningfully execute the code?
other people to look at and meaningfully execute the code?
other people to look at, modify, and meaningfully execute the code?
Xho
--
-------------------- http://NewsReader.Com/ --------------------
Usenet Newsgroup Service $9.95/Month 30GB
------------------------------
Date: Sat, 18 Sep 2004 23:54:35 +0100
From: Ben Morrow <usenet@morrow.me.uk>
Subject: Re: Protecting passwords in Perl scripts?
Message-Id: <buqu12-lu4.ln1@osiris.mauzo.dyndns.org>
Quoth yf110@vtn1.victoria.tc.ca (Malcolm Dew-Jones):
> David Filmer (ineverreadanythingsenttome@hotmail.com) wrote:
> : I have (for example) a Perl script that connects to a database (or FTP site,
> : etc). The database (or ftp) password is either hard-coded (in clear text) in
> : the script or contained in an external configuration file (which must be
> : readable by the effective uid of the script).
>
> : Someone who was able to browse the code could easily determine the password.
> : That's a Bad Thing.
>
> : I could trivially obfuscate it (rot13, etc) but that would only thwart the
> : truly ignorant. The password could be symmetrically encrypted, but the
> : script somehow needs to determine the encryption key (and the idly curious
> : could determine this as well by reading the code).
>
> : How can I shield the database (ftp, etc) password from prying eyes?
>
> Put the config data in a file that belongs to another user, and chmod so
> it cannot be read by anyone else.
>
> Now make the script suid or guid so it can read the config file when it
> runs.
>
> I don't guarantee this is 100% effective. I'm not sure if it's possible
> to hack the running perl script to dump the password after reading it.
That's avoidable by not giving write permission to the script. IIRC most
Unix kernels will remove any setid bits if a non-owner writes to a
setid file, so an attacker wouldn't get anywhere anyway.
Ben
--
Like all men in Babylon I have been a proconsul; like all, a slave ... During
one lunar year, I have been declared invisible; I shrieked and was not heard,
I stole my bread and was not decapitated.
~ ben@morrow.me.uk ~ Jorge Luis Borges, 'The Babylon Lottery'
------------------------------
Date: Mon, 20 Sep 2004 08:31:11 GMT
From: Joe Smith <Joe.Smith@inwap.com>
Subject: Re: Protecting passwords in Perl scripts?
Message-Id: <jzw3d.79774$D%.69016@attbi_s51>
David Filmer wrote:
> I have (for example) a Perl script that connects to a database (or FTP site,
> etc). The database (or ftp) password is either hard-coded (in clear text) in
> the script or contained in an external configuration file (which must be
> readable by the effective uid of the script).
I had a similar problem, but it involved using 'scp' instead of 'ftp'.
Public key entries in ~/.ssh/authorized_keys by themselves leave the
destination wide open to script viewers. I use this to restrict access:
#!/usr/bin/perl
# Name: /usr/local/bin/rrsync (should have a symlink in /usr/bin)
# Author: joe.smith@inwap.com
# Purpose: Restricts rsync to subdirectory declared in .ssh/authorized_keys
use strict;
use warnings;
use Socket;
use constant LOGFILE => 'rrsync.log';
my $Usage = <<EOM;
Use 'command="$0 [-ro] subdir"'
in front of lines in $ENV{HOME}/.ssh/authorized_keys
EOM
my $ro = (@ARGV and $ARGV[0] eq '-ro') ? shift : ''; # -ro = Read-Only
my $subdir = shift;
die "No subdirectory specified\n$Usage" unless defined $subdir;
# The client uses "rsync -av -e ssh src/ server:dir/", and sshd on the server
# executes this program when .ssh/authorized_keys has 'command="..."'.
# For example:
# command="rrsync logs/client" ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAzGhEeNl...
# command="rrsync -ro results" ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAmkHG1WC...
#
# Format of the envrionment variables set by sshd:
# SSH_ORIGINAL_COMMAND=rsync --server -vlogDtpr . dir # push
# SSH_ORIGINAL_COMMAND=rsync --server --sender -vlogDtpr . dir # pull
# SSH_CLIENT=client_addr client_port server_port
my $command = $ENV{SSH_ORIGINAL_COMMAND};
die "Not invoked via sshd\n$Usage" unless defined $command;
my ($cmd,$dir) = $command =~ /(.* \.) ?(.*)/;
die "SSH_ORIGINAL_COMMAND='$command' is not rsync\n" unless $cmd =~ /^rsync\s/;
die "$0 -ro: sending to read-only directory $dir not allowed\n"
if $ro and $cmd !~ /^rsync --server --sender /;
my $orig = $dir;
$dir = $subdir if $dir eq ''; # Use subdir instead of $HOME
$dir =~ s%^/%%; # Don't allow absolute paths
$dir = "$subdir/$dir" unless $dir eq $subdir or $dir =~ m%^\Q$subdir/%;
$dir =~ s%/\.\.(?=/)%__%g; # Don't allow foo/../../etc
$dir =~ tr|-_/a-zA-Z0-9.,|_|c; # Don't allow ;|][}{*?
if (-f LOGFILE and open LOG,'>>',LOGFILE) {
my ($mm,$hh) = (localtime)[1,2];
my $host = $ENV{SSH_CLIENT} || 'unknown';
$host =~ s/ .*//; # Keep only the client's IP addr
$host = gethostbyaddr(inet_aton($host),AF_INET) || $host;
$_ = sprintf "%-13s",$host;
print LOG "$hh:$mm $_ [$command] =",($dir eq $orig ? " OK" : "> $dir"),"\n";
close LOG;
}
exec "$cmd $dir" or die "exec($cmd $dir) failed: $? $!";
# Note: This assumes that the rsync protocol will not be maliciously hijacked.
------------------------------
Date: Mon, 20 Sep 2004 14:57:30 +0200
From: =?ISO-8859-15?Q?S=E9bastien?= Cottalorda <sppNOSPAM@monaco377.com>
Subject: Re: Protecting passwords in Perl scripts?
Message-Id: <414ed3bb$0$17693$626a14ce@news.free.fr>
David Filmer wrote:
> I have (for example) a Perl script that connects to a database (or FTP
> site, etc). The database (or ftp) password is either hard-coded (in clear
> text) in the script or contained in an external configuration file (which
> must be readable by the effective uid of the script).
>
> Someone who was able to browse the code could easily determine the
> password. That's a Bad Thing.
>
> I could trivially obfuscate it (rot13, etc) but that would only thwart the
> truly ignorant. The password could be symmetrically encrypted, but the
> script somehow needs to determine the encryption key (and the idly curious
> could determine this as well by reading the code).
>
> How can I shield the database (ftp, etc) password from prying eyes?
What about using the Acme::Bleach perl module ?
Sebastien
--
[ retirer NOSPAM pour répondre directement
remove NOSPAM to reply directly ]
------------------------------
Date: Mon, 20 Sep 2004 13:11:39 -0400
From: Scott W Gifford <gifford@umich.edu>
Subject: Re: Protecting passwords in Perl scripts?
Message-Id: <qszoek0vp9w.fsf@tetris.gpcc.itd.umich.edu>
Mark Shelor <mshelor@comcast.removeme.net> writes:
[...]
> That said, if the threats are more dire, I'd recommend encrypting the
> configuration files with GnuPG, and then decrypting/re-encrypting them
> within your scripts via the --use-agent option. This necessitates
> running gpg-agent as a daemon to automate the passphrase handling.
> Once you get things set up, this approach is _very_ secure and fairly
> easy to maintain. But it's probably overkill for what you're doing.
Interesting; I'm not really familiar with GPG's --use-agent option.
How does GPG get the passphrase to decrypt the config files? How does
GPG prevent another user from connecting to the daemonized agent and
having it decrypt the config file for them?
Thanks!
----ScottG.
------------------------------
Date: Tue, 21 Sep 2004 00:04:18 +0000 (UTC)
From: Ian Sedwell <ian.sedwell@btclick.com>
Subject: Re: rand() question
Message-Id: <BD752F08.E4D4%ian.sedwell@btclick.com>
Hi Daniel
As a Pascal/C/Modula-2 compiled languages rule OK programmer, my gut
reaction is integer overflow. Perl performs all of its numerical
calculations using floating point math in a manner that is determined by the
CPU and the operating system on which it is running. This will obviously
vary from platform to platform. To be honest I doubt that this is in fact
the explanation and someone more knowledgeable than I will set you straight.
But there are two things that might help you home in on the problem.
First off, try the same routine, but with numbers in a range less than
32,000.
Second, have you tried using the integer pragma?
use integer;
#your integer arithmetic code goes here
no integer;
#back to using floating point
On a different note, if you want your numbers to be as close to random as
possible, you should set a random seed first. If you don't Perl is quite
likely to produce the same 'random' series each time you run it. So you
should certainly mod your code to be something like:
srand();
$randomNumber = int(rand(999));
You can provide a seed parameter to srand, but if you don't it will use the
current time.
Happy problem solving
Ian
On 2004/09/15 01:58, in article 1095209944.109086@nntp.acecape.com, "daniel
kaplan" <nospam@nospam.com> wrote:
> so i generate a serial number with the exact code below (three lines):
>
> $number1 = 10000 + int(rand(99999));
> $number2 = 10000 + int(rand(99999));
> $shrwsn = "$number1-$number2";
>
> the point is i want TWO five digit numbers separated by a dash "-"
> and all is cool, but i just noticed, that for the three entries i have made
> test wise:
>
> 79109-72626
> 106421-1023 these last two are six and four digits.....
> 108629-3542
>
> WHY? these were all made with the SAME script...............
>
>
------------------------------
Date: Tue, 21 Sep 2004 13:22:54 GMT
From: "Paul Lalli" <mritty@gmail.com>
Subject: Re: rand() question
Message-Id: <OWV3d.4296$uz1.1156@trndny03>
"Ian Sedwell" <ian.sedwell@btclick.com> wrote in message
news:BD752F08.E4D4%ian.sedwell@btclick.com...
> On 2004/09/15 01:58, in article 1095209944.109086@nntp.acecape.com,
"daniel
> kaplan" <nospam@nospam.com> wrote:
>
> > so i generate a serial number with the exact code below (three
lines):
> >
> > $number1 = 10000 + int(rand(99999));
> > $number2 = 10000 + int(rand(99999));
> > $shrwsn = "$number1-$number2";
> >
> > the point is i want TWO five digit numbers separated by a dash "-"
> > and all is cool, but i just noticed, that for the three entries i
have made
> > test wise:
> >
> > 79109-72626
> > 106421-1023 these last two are six and four digits.....
> > 108629-3542
>
> As a Pascal/C/Modula-2 compiled languages rule OK programmer, my gut
> reaction is integer overflow.
This has nothing to do with the problem. Please read the complete
thread from a few weeks ago.
> On a different note, if you want your numbers to be as close to random
as
> possible, you should set a random seed first. If you don't Perl is
quite
> likely to produce the same 'random' series each time you run it.
This is wholly untrue for any Perl version greater than 5.004. From
perldoc -f srand:
If srand() is not called explicitly, it is called
implicitly at the first use of the "rand" operator.
>So you should certainly mod your code to be something like:
> srand();
> $randomNumber = int(rand(999));
If and only if you're using an obscenely outdated version of Perl. And
if you are, you should be upgrading.
> You can provide a seed parameter to srand, but if you don't it will
use the
> current time.
Also untrue. Again from perldoc -f srand:
the generally acceptable default,
which is based on time of day, process ID, and
memory allocation, or the /dev/urandom device, if
available.
While obviously all attempts at helping are appreciated in this
discussion, it may behoove you to find a news reader which will show you
when a question has been answered rather completely weeks ago. Also,
please refrain from "top-posting" - that is, please post your reply
*below* what you are replying to.
Thank you,
Paul Lalli
------------------------------
Date: 6 Apr 2001 21:33:47 GMT (Last modified)
From: Perl-Users-Request@ruby.oce.orst.edu (Perl-Users-Digest Admin)
Subject: Digest Administrivia (Last modified: 6 Apr 01)
Message-Id: <null>
Administrivia:
#The Perl-Users Digest is a retransmission of the USENET newsgroup
#comp.lang.perl.misc. For subscription or unsubscription requests, send
#the single line:
#
# subscribe perl-users
#or:
# unsubscribe perl-users
#
#to almanac@ruby.oce.orst.edu.
NOTE: due to the current flood of worm email banging on ruby, the smtp
server on ruby has been shut off until further notice.
To submit articles to comp.lang.perl.announce, send your article to
clpa@perl.com.
#To request back copies (available for a week or so), send your request
#to almanac@ruby.oce.orst.edu with the command "send perl-users x.y",
#where x is the volume number and y is the issue number.
#For other requests pertaining to the digest, send mail to
#perl-users-request@ruby.oce.orst.edu. Do not waste your time or mine
#sending perl questions to the -request address, I don't have time to
#answer them even if I did know the answer.
------------------------------
End of Perl-Users Digest V10 Issue 7161
***************************************
