How to pass a password with a cron job safely

authenticationcroncurlpassword

I have a site map generator script placed in this URL

http://www.mydomain.com/admin/sitemapgen/

However this URL is protected with an username and a password in auth_type basic method.

I need to place a cron to access this URL once a week.
So I've decided to use the curl command and placed the cron like below.

curl -u username:mypassword http://www.mydomain.com/admin/sitemapgen/

I'm aware that sending a password through http is insecure, however at least I'm trying to hide the password from server/hosting panel users from this curl command.

1) Are there any methods to hide the password in this curl command? I read something about placing a plain text file with the password in server and use it with the -k option. However I'm not in to place the password in a plain text file either.

2) Are there any other commands than curl to use for this specific purpose?

Best Answer

To avoid showing the password on the command where other users can see it with ps, you should not pass the password in the command. It's why many utilities don't support passwords as command line arguments.

Instead store your password in a ~/.netrc file and pass the -n option to curl.

For the details of file syntax, I let you see the man of curl.

Related Solutions

Emptying a directory owned by another user weekly

Edit the /etc/sudoers file (use visudo!) and add an entry that allows the shell user to have sufficient privileges to run a specific command, without having to enter a password. If you use a script, make sure the script cannot by edited by anyone but root.

In /etc/sudoers, where shelluser is the shell user name:

shelluser ALL=NOPASSWD: /usr/bin/clean-up-sftp-temp-directory

In a /usr/bin/clean-up-sftp-temp-directory script, you can put something like:

#!/bin/sh
rm -f /home/sftpuser/will-be-deleted/*

After making the script executable, you should be able to call sudo clean-up-sftp-temp-directory and add it to the shell user's crontab.

How to use the login password to do two things

I generally use the automount service for shares like this that I'll periodically want to mount and use. Setting this up, once you understand how, is fairly trivial.

Step #1 - setup automounting

You'll need to make sure that packages are installed. On CentOS 6 that would be autofs. Most likely other distros will use a similar name. You'll then need to create the following files:

# /etc/auto.master
/mymountpt          /etc/auto.mymountpt --timeout=600 --ghost

# /etc/auto.mymountpt
someshare                  -fstype=cifs,rw,noperm,netbiosname=${HOST},credentials=/etc/credentials.txt ://cifsserver/sharename

# /etc/credentials.txt
username=mydom\myuser
password=somepassword

You'll need to make the permissions on this last file like so:

$ sudo chmod 600 /etc/credentials.txt

You'll also need to make sure that NSS (Name Service Switch) is aware of this setup:

# /etc/nsswitch.conf
automount:  files nisplus

With these files in place you should now be able to start the autofs service.

$ sudo service autofs start

Step #2 - testing it out

Once the service has been started, you'll be able to access this path at will:

$ cd /mymountpt/someshare

The mounting of this share is now governed by autofs which will watch for 600 seconds of inactivity, at which point it will unmount the share.

This approach may seem a bit heavy handed but by doing things this way, you've alleviated your system from having to be dependent on a particular CIFS share as being available at boot. You've moved it so that it's now on demand when it's actually being used.

What to do if you don't have root login?

If you find you don't have these packages installed and aren't able to install them then your options become far fewer.

I would take a look at the Samba article in the ArchLinux Wiki, it covers other methods as well. You could also make use of FUSE to mount a variety of types of media as local directories, including SMB/CIFS. This is covered in the FUSESmb article on the Ubuntu Wiki.