Secure Passwords in Memory

[Alex]

> I searched DejaNews and found some similar topics, but nothing which
> really answered my question. I need to get the root password from the
> user to exec a program which requires root privileges. I would like to
> immediately zero out the memory used to store the password.
> 
> This is easy in a language such as C, but i don't want to write a
> module just for this. I doubt 'del pw' or

This looked sort of interesting, so I wrote it.  I'd be leery about
actually using it in a sensitive application unless someone with more of
a clue about python's internals looked it over and didn't find any
problems with it.  So at least you don't have to write the C module
anymore, although you'll have to test and debug it (though it seems to
work on the cursory tests I've done.) :)

I don't think you're going to get the string zero'd out of memory
without writing some C somewhere, but perhaps a better thing to do would
be to write a setuid wrapper for the program that python is to call, or
just run the python program as root.  I can't think of any situations
that those two solutions wouldn't cover, offhand.

Anything-to-escape-working-on-finishing-my-degree'ly yrs
Alex.

#include "Python.h"

PyObject *zero_out(PyObject *self, PyObject *args) {

  char *python_string;
  int   string_length;
  int   string_idx;

  if (!PyArg_ParseTuple(args,"s#", &python_string, &string_length)) {
    return NULL;
  }

  for (string_idx = 0; string_idx < string_length; string_idx++) {
    python_string[string_idx] = '\0';
  }

  Py_INCREF(Py_None);
  return Py_None;
}


static PyMethodDef zero_outMethods[] = {
  {"zero_out", zero_out, METH_VARARGS},
  {NULL, NULL}
};

void initzero_out() {

  (void)Py_InitModule("zero_out", zero_outMethods);
  
}

-- 
Speak softly but carry a big carrot.