[Tutor] passwords in scripts
Danny Yoo
dyoo at hkn.eecs.berkeley.edu
Tue Jan 24 20:02:33 CET 2006
On Tue, 24 Jan 2006, Ivan Furone wrote:
> I'm not sure I understand what you are saying here. Surely if the file
> is compiled it can just run (and will only need to be RE-compiled when I
> have to change the code (such as when one of the servers has their
> password changed).
Hi Ivan,
But the issue is that hardcoding passwords in a program doesn't really
protect that password from exposure. For example:
######
bash-3.00$ cat test.py
message = "hello, this is a test"
bash-3.00$ python
Python 2.3.3 (#1, Nov 7 2005, 22:36:37) [C] on sunos5
Type "help", "copyright", "credits" or "license" for more information.
>>> import test
>>> ^D
#######
Doing the import will cause test.py to be compiled to 'test.pyc':
######
bash-3.00$ ls -l test.pyc
-rw-r--r-- 1 dyoo other 143 Jan 24 10:55 test.pyc
######
But watch what happens here:
######
bash-3.00$ strings test.pyc
hello, this is a testN(
message(
message(
test.pys
######
Our secret string shows right up!
This works even if we're talking about C code:
/******/
bash-3.00$ cat test.c
#include <stdio.h>
int main(int argc, char** argv) {
char *msg = "hello";
}
bash-3.00$ gcc test.c
bash-3.00$ strings a.out
hello
/******/
So the fact that we're "compiling" code doesn't do anything significant to
add security: those string literals are ripe for the taking for anyone
competent enough to use the 'strings' command. So that's what we're
trying to warn you about. Compiling code is not a magic wand to obscure
secrets.
Hope this helps!
More information about the Tutor
mailing list