I am building a suite of batch jobs that require regular access to a database, running on a Solaris 10 machine. Because of (unchangable) design constraints, we are required use a certain program to connect to it. Said interface requires us to pass a plain-text password over a command line to connect to the database. This is a terrible security practice, but we are stuck with it.
I am trying to make sure things are properly secured on our end. Since the processing is automated (ie, we can't prompt for a password), and I can't store anything outside the disk, I need a strategy for storing our password securely.
Here are some basic rules
- The system has multiple users.
- We can assume that our permissions are properly enforced (ie, if a file with a is chmod'd to 600, it won't be publically readable)
- I don't mind anyone with superuser access looking at our stored password
Here is what i've got so far
- Store password in password.txt
- $chmod 600 password.txt
- Process reads from password.txt when it's needed
- Buffer overwritten with zeros when it's no longer needed
Although I'm sure there is a better way.