tags:

views:

80

answers:

4
Q: 

Securely using password as bash argument

Hi, I'm extracting a part of a web application that handles the signup, the other part will be rewritten.

The idea is the signup part can exist as a separate application, interface with the rest of the application for creating and setting up the account. Obviously there are a ton of ways to do this, most of them network based solutions like SOAP, but I'd like to use a simpler solution: a setup script.

The concern is that certain sensitive data, specifically the admin password of the new account, would be passed through bash.

I was thinking of sharing a small class between the applications, so that the password can be passed already hashed, but I would also have to pass the salt, so it still seems like a (small) security risk. One of the concerns is bash logging (can I disable that for a single command?) but I'm sure there are other concerns as well?

This would be on the same private server, so the risk seems minimal, but I don't want to take any chances whatsoever.

Thanks.

+1  A: 

Use the $HISTFILE environment variable, unset it (this is for all users):

echo "unset HISTFILE" >> /etc/profile

Then set it back again.

More info on $HISTFILE variable here: http://linux.about.com/cs/linux101/g/histfileenviron.htm

Hope this helps!

Soulseekah  2010-10-23 08:11:20
Turns out you can also clear the current session history by issuing "history -c". I'll have to try this out, very interesting. Even more info here: http://www.foogazi.com/2008/06/25/how-to-delete-bash-history/
Soulseekah  2010-10-23 08:17:49
Thanks, that helps with logging part.
Joe  2010-10-23 08:26:44
So I could start the script by running "history -c" and the execution of that script would not be logged, right (and anything else in the session but it would generally be a one-command session)?
Joe  2010-10-23 08:43:27
"history -c" wipes the existing history for the current session. This means that you should "history -c" after executing the script.
Soulseekah  2010-10-23 08:52:28
xxx@xxx:~$ call it-bash: call: command not foundxxx@xxx:~$ history 1 history 2 call it 3 historyxxx@xxx:~$ history -cxxx@xxx:~$ history 1 historyxxx@xxx:~$
Soulseekah  2010-10-23 08:55:04
So the command is added to the history in RAM, AFTER it is executed?
Joe  2010-10-23 08:55:06
history -c wipes out the commands entered for the current session (not sure from where the RAM or the history file, doesn't really matter, since no commands will go into the log file for the session). If you end the session before doing history -c, then the log file will contain the bash commands.
Soulseekah  2010-10-23 08:58:56
It's easy to try it out and experiment with it. "history" will get you the bash log for the current session. You can also tail the log itself to make sure that history is actually bash history.
Soulseekah  2010-10-23 09:00:29
+1  A: 

From the man page of bash:

HISTIGNORE A colon-separated list of patterns used to decide which command lines should be saved on the history list. Each pattern is anchored at the beginning of the line and must match the com- plete line (no implicit ‘*’ is appended). Each pattern is tested against the line after the checks specified by HISTCONTROL are applied. In addition to the normal shell pattern matching characters, ‘&’ matches the previous history line. ‘&’ may be escaped using a backslash; the backslash is removed before attempting a match. The second and subsequent lines of a multi-line compound command are not tested, and are added to the history regardless of the value of HISTIGNORE.

Or, based on your comment, you could store the password in a protected file, then read from it.

Kedar Soparkar  2010-10-23 08:19:53
I'd like it to be somewhat portable though, at least I wouldn't want the command to be logged even if the system config somehow got reverted to do the logging anyway, and exporting the variable in the script itself would be too late, I think.
Joe  2010-10-23 08:41:20
This doesn't hide the command line from `ps`
Gordon Davisson  2010-10-23 16:12:03
+1  A: 

Passing the salt in clear is no problem (the salt is usually stored in clear), the purpose of the salt is avoiding the same password hashing to the same hash always (so users with the same password would have the same hash, and rainbow tables would only need a single hash for each possible password).

What is more problematic is passing sensitive data through command line arguments, an eavesdropper on the same box can see the arguments to any command (on Linux they appear on /proc//cmdline, and on most Unixes can be seen using ps; some systems restrict permissions on /proc// to only the owner of the process for security).

What you could do is pass the sensitive information through a file, don't forget to set the umask to a very restrictive setting before creating the file.

ninjalj  2010-10-23 08:53:29
This makes a lot of sense, I'll give this a shot.
Joe  2010-10-23 09:22:44
Ok, thought about it, tried it: throwing it in a file after setting umask 022 works for me. Thanks.
Joe  2010-10-23 09:36:39
Actually, I have an issue with this. The signup application is PHP. According to the manual umask can cause issues because it is not thread safe. I'm trying to understand what issues it could have in this specific situation. In the sense of what files could get the restrictive permissions that need more...
Joe  2010-10-23 09:42:10
Meh, I'll just test my ass off. Thanks again.
Joe  2010-10-23 09:43:52
ninjalj  2010-10-23 11:29:53
I ment 0077 of course, sorry. I did read those comments, which made me confident this would work. What dould the advantage of dio_open() be?
Joe  2010-10-23 12:54:03
dio_open() allows to specify the file permissions when creating a new file.
ninjalj  2010-10-25 20:40:49
+1  A: 

Bash doesn't normally log commands executed in scripts, but only in interactive sessions (depending on appropriate settings). To show this, use the following script:

#!/bin/bash
echo "-- shopt --"
    shopt | grep -i hist
echo "-- set --"
    set -o | grep -i hist
echo "--vars --"
    for v in ${!HIST*}
    do
        echo "$v=${!v}"
    done

Run it like this:

$ ./histshow

and compare the output to that from sourcing it like this:

$ . ./histshow

In the first case take note that HISTFILE is not set and that the set option history is off. In the second case, sourcing the script runs it in your interactive session and shows what your settings are for it.

I was only able to make a script keep an in-memory history by doing set -o history within the script and to log its history to a file by also setting HISTFILE and then doing an explicit history -w.

Dennis Williamson  2010-10-23 19:45:33

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security