root password in a .py script

[Dave Brueck]

Bart wrote:
> > > I have to place a root password into a Python script. Is
> > > there a way to
> > > encode it so that one can't read the password when viewing
> > > the file, but
> > > when the sting is used it's decoded? For example:
>
> > > pass = "#$%^&@*#&*$^@"
> > > instead of:
> > > pass = "root-password"
[snip and de-top-postify]
>
> Yes, I know it isn't. It's not very graceful at all, but I must do it.
> Whether I use a baseball bat from a distance of 1 meter to strike a computer
> monitor or use a sniper rifle from 400 meters away to shoot the monitor, the
> result is the same. Currently, this is a kludge (the baseball bat
> approach)... I'm trying to make it more graceful.
>
> >
> >What is preventing you from prompting for the password on execution?
>
> The script must run automaticly/programmaticly on 200 machines.

What is it that this script is doing? How is it getting invoked? And if it's
being invoked by a non-root user, why should that user be allowed to do
something that requires root privileges? Is there any reason why you simply
don't run the script as root?

Answers to the above will help generate some ideas to assist you, but my bet is
the best approach will be something external to the script itself, e.g. ssh as
root to each box and launch the script that way, or put it in root's cron job,
etc. Encrypted or not, don't put the password in the script unless you are
comfortable with every user on those 200 machines knowing the root password.

IOW, don't bother hiding the password at the script-level. Rely on OS features
instead or find a better solution to the problem (preferably the latter -
blatantly circumventing the OS security mechanisms has a way of coming back to
bite you).

-Dave

P.S. If you're going to automatically run the script on 200 machines, and
you're putting the root password inside the script, does that imply that you
have a network of 200 machines that all have the same root password? :)