from Brian's code, it seems to me that he's running a windows machine so the
getpw* stuff you refers to might not be available for him. again, i seldom
develop anything in windows, so i can't be sure. if you are worry about
that someone will manually open the config(text base) file, you might want
to store those in a dbm file like:
#!/usr/bin/perl -w
use strict;
use NDBM_File;
use DB_File;
use Fcntl;
my %hash;
tie %hash,"NDBM_File","auth",O_RDWR|O_CREAT|O_EXCL,0777 || die $!;
$hash{'dsn'} = 'dsn';
$hash{'user'} = 'usr';
$hash{'psw'} = 'psw';
__END__
then in your actual script that needs those parameters, just open the dbm
file again and fetch them:
#!/usr/bin/perl -w
use strict;
use NDBM_File;
use DB_File;
use Fcntl;
my %hash;
tie %hash,"NDBM_File","auth",O_RDWR|O_CREAT|O_EXCL,0777 || die $!;
my $dsn = $hash{'dsn'};
my $user = $hash{'user'};
my $psw = $hash{'psw'};
my $db = new Win32::ODBC("fileDSN=$dsn; uid=$usr; psw=$psw");
#-- ...etc
this way, auth.db became a binary file and thus can't be easily viewed with
a regular text editor.
david
Drieux wrote:
>
> On Thursday, August 29, 2002, at 11:44 , david wrote:
> [..]
>>
>> $dsn = <get from config>
>> $usr = <get from config>
>> $psw = <get from config>
>>
>> my $db = new Win32::ODBC("fileDSN=$dsn; uid=$usr; psw=$psw");
>>
>> that should avoid the horrifying "listing" effect...
>
> my compliments - there is the part about the uid and psw
> that you could get with
>
> ($name,$passwd,$uid,$gid,
> $quota,$comment,$gcos,$dir,$shell,$expire) = getpw*
>
> cf perldoc -f getpwname
>
> which would only leave one exposed on the $dsn - unless
> you wanted to play the gag of having that in the comment
> field of the nis map/active directory/ldap...
>
> unless of course $psw has to be in 'plain text' to begin with...
>
> things folks might want to keep in mind when doing the
> ConfigDSN side of the game...
>
> a part of the problem here is whether the perl code
> should be 'allowed' to do a 'setgid/setuid' to the
> appropriate gid/uid to run under that entry - and
> hence allow 'anyone who can run it' to run it...
>
> or should it have an 'access list' of uid's allowed
> to run the code...
>
>
>
> ciao
> drieux
>
> ---
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
