Save passwords in scripts
Serge Orlov
Serge.Orlov at gmail.com
Tue Mar 29 01:45:20 EST 2005
Florian Lindner wrote:
> Serge Orlov wrote:
>
>> Florian Lindner wrote:
>>> Paul Rubin wrote:
>>>
>>>> - sort of similar: have a separate process running that knows the
>>>> password (administrator enters it at startup time). That process
>>>> listens on a unix socket and checks the ID of the client. It
>>>> reveals the password to authorized clients, i.e. your readable
>>>> script running under sudo. This keeps the password from ever
>>>> being stored on disk.
>>>>
>>>> - Modify the script itself to run as a long-running service instead
>>>> of as something that gets started and restarted all the time. Have
>>>> an admin start it and type the password into it at startup time.
>>>> Users then connect to it (maybe with a web browser) and send it
>>>> commands.
>>>>
>>>> - Move the user operations from the script to server side database
>>>> procedures that do their own validity checking. Then you don't
>>>> need a password.
>>>
>>> I'll evaluate the 3 ideas above further.
>>
>> I'm surprised there are no building blocks for a sudo replacement
>> in the UNIX world, at least I googled and couldn't find them.
>> Basically you need to split you script into two parts: priveledged
>> server and user client. They can talk xml-rpc over unix socket.
>
> Can I find out the identity of the client (PID/UID) when using unix
> socket?
Paul Rubin has answered this question. And as far as I know, not all
unix OSes support that. But you can do the following: create a security
group, add people to that group and create the socket that is owned
by the server process and accessible only by the people in that special
group.
Serge.
More information about the Python-list
mailing list