I’ve written quite a lot of scripts over the last twenty years and have always tried to secure my database usernames and passwords. I’ve made use of directories with 0400 and 0440 permissions, making the directories only readable by a certain group. Then I’d add the group id to the “run as” user of my script. I’ve gone a little further as well and tried to hide my passwords by obscurity, doing things such as making my files “.passwords” (well, not that name, but I need to be careful how much I give away, after all, this is a blog!).
So if for example I create a file called “/home/ahbaidg/.hidden/.passwords” the file’s contents would look like this:
I’d protect the file from world readability and use “chmod 0400 .passwords” so only my app could read it.
Then in my shell scripts I’d grep through the file and use awk to parse it like so:
The remainder of the script would then connect to the database doing something like:
The password is in a readable file and can eventually be read if someone had the right privileges on the host. My approach was to hide the password by obscuring it. With sufficient privileges, the password is in plain text and remains readable. How can this be made more secure? One way is to use an Oracle Wallet. A wallet can be distributed to users without sharing the user password and at the same time storing the passwords in an encrypted store.
In my next post I’ll go into how to setup an Oracle Wallet.