Save passwords in scripts

Serge Orlov Serge.Orlov at gmail.com
Tue Mar 22 08:21:11 CET 2005


Florian Lindner wrote:
> Paul Rubin wrote:
>
>> - sort of similar: have a separate process running that knows the
>> password (administrator enters it at startup time).  That process
>> listens on a unix socket and checks the ID of the client.  It reveals
>> the password to authorized clients, i.e. your readable script running
>> under sudo.  This keeps the password from ever being stored on disk.
>>
>> - Modify the script itself to run as a long-running service instead
>> of as something that gets started and restarted all the time.  Have
>> an admin start it and type the password into it at startup time.
>> Users then connect to it (maybe with a web browser) and send it
>> commands.
>>
>> - Move the user operations from the script to server side database
>> procedures that do their own validity checking.  Then you don't need
>> a password.
>
> I'll evaluate the 3 ideas above further.

I'm surprised there are no building blocks for a sudo replacement
in the UNIX world, at least I googled and couldn't find them.
Basically you need to split you script into two parts: priveledged
server and user client. They can talk xml-rpc over unix socket.
If you need performance you can also open another socket
for sending huge binary objects.

With regards to clear text password and admin, you can only
obfuscate or make it hard to obtain the password. It's just to
keep honest admins honest. Same story on windows, btw.

  Serge.





More information about the Python-list mailing list