Save passwords in scripts
Florian Lindner
Florian.Lindner at xgm.de
Mon Mar 28 15:22:47 EST 2005
Serge Orlov wrote:
> Florian Lindner wrote:
>> Paul Rubin wrote:
>>
>>> - sort of similar: have a separate process running that knows the
>>> password (administrator enters it at startup time). That process
>>> listens on a unix socket and checks the ID of the client. It reveals
>>> the password to authorized clients, i.e. your readable script running
>>> under sudo. This keeps the password from ever being stored on disk.
>>>
>>> - Modify the script itself to run as a long-running service instead
>>> of as something that gets started and restarted all the time. Have
>>> an admin start it and type the password into it at startup time.
>>> Users then connect to it (maybe with a web browser) and send it
>>> commands.
>>>
>>> - Move the user operations from the script to server side database
>>> procedures that do their own validity checking. Then you don't need
>>> a password.
>>
>> I'll evaluate the 3 ideas above further.
>
> I'm surprised there are no building blocks for a sudo replacement
> in the UNIX world, at least I googled and couldn't find them.
> Basically you need to split you script into two parts: priveledged
> server and user client. They can talk xml-rpc over unix socket.
Can I find out the identity of the client (PID/UID) when using unix socket?
> If you need performance you can also open another socket
> for sending huge binary objects.
>
> With regards to clear text password and admin, you can only
> obfuscate or make it hard to obtain the password. It's just to
> keep honest admins honest. Same story on windows, btw.
>
> Serge.
Florian
More information about the Python-list
mailing list