This isn't a question but more of a here's what I did as a possible way of using a password within a script.
In my case, my croned backups that run and encrypt tarball backup that I'll use a password to decrypt.
While it is possible to to place a password within the script, it's not a good idea for obvious reason.
What I have done in the past (and probably the recommended way) was to create a directory in /etc and chmod the directory so that only root can access the file within that contains the password for gpg to use.
I wanted to get away from that so my solution was to rewrite the script to a C program. Perhaps a bit out of the ordinary and of course, I save the source file off system.
Yes I know, then can be decompiled but that would mean someone taking the time to do all that. In the end, this is turning out to be a good working scenario for me.
This idea won't be for everyone but more of a possible way of using scripts that contain passwords on the system.
I would be curious on other ways folks are getting around the use of password within scripts.
Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230
Converting scripts to C that contain phrases
- cds60601
- df -h | participant
- Posts: 739
- Joined: 2017-11-25 05:58
- Location: Florida
- Has thanked: 138 times
- Been thanked: 65 times
Re: Converting scripts to C that contian phrases
Awe what the hell!!
lol, all the time I put in to actually write and test the C programs... and all along, there was this....
Last edited by cds60601 on 2024-03-17 15:32, edited 1 time in total.
Supercalifragilisticexpialidocious
-
- Global Moderator
- Posts: 2979
- Joined: 2014-07-20 18:12
- Location: Europe
- Has thanked: 75 times
- Been thanked: 407 times
Re: Converting scripts to C that contain passwords
Hello,
Compiling passwords or passphrases into a binary executable does not make it secure. Outputting the binary contents of the file (searching for character arrays in plain text) or using a debugger will allow an authorised user to access them if he/she can access the executable.
—
note: replaced “contian” with “contain” in the subject of the first post.
Compiling passwords or passphrases into a binary executable does not make it secure. Outputting the binary contents of the file (searching for character arrays in plain text) or using a debugger will allow an authorised user to access them if he/she can access the executable.
—
note: replaced “contian” with “contain” in the subject of the first post.
- cds60601
- df -h | participant
- Posts: 739
- Joined: 2017-11-25 05:58
- Location: Florida
- Has thanked: 138 times
- Been thanked: 65 times
Re: Converting scripts to C that contain phrases
@AKI - I do believe I covered that with the above.cds60601 wrote: ↑2024-03-16 14:59
While it is possible to to place a password within the script, it's not a good idea for obvious reason.
What I have done in the past (and probably the recommended way) was to create a directory in /etc and chmod the directory so that only root can access the file within that contains the password for gpg to use.
Yes I know, then can be decompiled but that would mean someone taking the time to do all that. In the end, this is turning out to be a good working scenario for me.
This idea won't be for everyone but more of a possible way of using scripts that contain passwords on the system.
Last edited by cds60601 on 2024-03-17 15:33, edited 1 time in total.
Supercalifragilisticexpialidocious
-
- df -h | grep > 20TiB
- Posts: 1418
- Joined: 2012-10-06 05:31
- Location: /dev/chair
- Has thanked: 80 times
- Been thanked: 191 times
Re: Converting scripts to C that contain passwords
Extracting strings from compiled C doesn't require any decompiling at all, or access to the source for that matter. A simple 'strings <binary>' will dump any plaintext, and anything more complex is but a minute with a hex editor away.
shc might be secure enough for your needs, as it apparently encrypts the embedded shell script... But I doubt it, since the key for said encryption would have to be in the C binary as well, and unless some other trickery is going on the above will work just fine to to retrieve it.
What you're talking about with compiled code vs. shell isn't security, it's obfuscation. Trivially weak obfuscation at that.
The real answer is the same as it has always been: Don't hardcode credentials. Whether it's in bash or C is irrelevant.
Once is happenstance. Twice is coincidence. Three times is enemy action. Four times is Official GNOME Policy.
- cds60601
- df -h | participant
- Posts: 739
- Joined: 2017-11-25 05:58
- Location: Florida
- Has thanked: 138 times
- Been thanked: 65 times
Re: Converting scripts to C that contain phrases
While I agree 100%, in my case, this is simply running a nightly cron that creates a tarball that gets piped though gpg (along with the phrase) to encrypted the tarball.steve_v wrote: ↑2024-03-17 14:51Extracting strings from compiled C doesn't require any decompiling at all, or access to the source for that matter. A simple 'strings <binary>' will dump any plaintext, and anything more complex is but a minute with a hex editor away.
shc might be secure enough for your needs, as it apparently encrypts the embedded shell script... But I doubt it, since the key for said encryption would have to be in the C binary as well, and unless some other trickery is going on the above will work just fine to to retrieve it.
What you're talking about with compiled code vs. shell isn't security, it's obfuscation. Trivially weak obfuscation at that.
The real answer is the same as it has always been: Don't hardcode credentials. Whether it's in bash or C is irrelevant.
Nothing of serious importance nor related to actual credentials are being used.
So perhaps I failed to disclose that in the beginning, and in my case, I find this to be perfectly exceptable for a home user, which I am using this process on my home systems and certainly not in a business environment.
But you are correct, passwords should not used within any type of script unless you are willing to except the consequences of your actions.
In the end, the user must make that determination what is best for them and the scenario they choose to use it for.
Note: I changed the initial subject to actually reflect my use case.
Supercalifragilisticexpialidocious
-
- Global Moderator
- Posts: 2719
- Joined: 2018-06-20 15:16
- Location: Colorado
- Has thanked: 41 times
- Been thanked: 201 times
Re: Converting scripts to C that contain phrases
maybe look into keychain and if it can be called from a script?
https://packages.debian.org/bookworm/keychain
https://packages.debian.org/bookworm/keychain