What's the best way to use username/password auth in a Ruby script in OS X?

Question

I am working on an automated backup script. This script needs to download an HTTP resource using a username and password. At the moment, the auth credentials are in cleartext, which is obviously not ideal from a security point of view. I recently discovered the security utility on OS X after reading this blog post. security gives you keychain access from the command line. The OS X Keychain allows you to specify applications that are allowed access to a specific password, but it turns out that you can't give myscript access if it in turns calls security, you have to put security, which basically gives access to anyone on the machine.

Aside from creating a user (e.g. "backups") purely for running this script, and giving the script 700 permissions, are there any better ways to solve this problem in OS X 10.5?

Answer 1

Basically, anything you store in a way accessible to your program with no user input can be accessed by a determined user. If I were you, I'd just store the credentials in a 0700-permissions file to ensure that only the right people can see it.

If you're wondering why not to obfuscate the passwords, you might want to take a look at Pidgin's policy on the matter: http://developer.pidgin.im/wiki/PlainTextPasswords.