Linux – How to log into database via script securely

linuxpasswordSecurity

I am wondering about whether it is acceptable (security-wise) to have database login credentials (user/pass) set in an environment variable or passed in as a command-line parameter?

Both of these methods seem risky to me as perhaps others can read the environment variable or read the running processes/history and credentials would be there in plain-text (Is my understanding correct here?)

What would be an acceptable way to do this login? It would be run in a script as part of an automated job/process.

Edit: This is an Oracle database (11g)

Edit #2: Oracle Wallet was considered at one point, but can't be used yet where I work.

Best Answer

I'm not really experienced with Oracle databases (or databases for that matter), but it seems a Perl solution is possible with Oracle wallet as shown here (Google search terms "oracle database passwordless login").

Related Solutions

Securely automating a script which requires a key to do its task

Here is how I wound up solving the problem.

First, I created a separate key server that starts up at the same time as the main server. Its sole purpose is to hand out keys to authorized processes. It does this by running an md5sum on the calling binary, then seeing which keys that binary is allowed to access. The calling binary (in this case, the script, which has been compiled to an executable) requests the keys from this server and then proceeds as normal.

The key server runs all the time and maintains a keychain password in its own memory. On startup, it does not have the keychain password, and thus cannot respond to requests for keys. So before it can do this, it requires that the keychain password gets set. This can be done via a web interface or the command line and requires user interaction. This secures the system by requiring that somebody physically enter the correct password. This generally only needs to be done once per reboot, since the key server never terminates.

How to use the login password to do two things

I generally use the automount service for shares like this that I'll periodically want to mount and use. Setting this up, once you understand how, is fairly trivial.

Step #1 - setup automounting

You'll need to make sure that packages are installed. On CentOS 6 that would be autofs. Most likely other distros will use a similar name. You'll then need to create the following files:

# /etc/auto.master
/mymountpt          /etc/auto.mymountpt --timeout=600 --ghost

# /etc/auto.mymountpt
someshare                  -fstype=cifs,rw,noperm,netbiosname=${HOST},credentials=/etc/credentials.txt ://cifsserver/sharename

# /etc/credentials.txt
username=mydom\myuser
password=somepassword

You'll need to make the permissions on this last file like so:

$ sudo chmod 600 /etc/credentials.txt

You'll also need to make sure that NSS (Name Service Switch) is aware of this setup:

# /etc/nsswitch.conf
automount:  files nisplus

With these files in place you should now be able to start the autofs service.

$ sudo service autofs start

Step #2 - testing it out

Once the service has been started, you'll be able to access this path at will:

$ cd /mymountpt/someshare

The mounting of this share is now governed by autofs which will watch for 600 seconds of inactivity, at which point it will unmount the share.

This approach may seem a bit heavy handed but by doing things this way, you've alleviated your system from having to be dependent on a particular CIFS share as being available at boot. You've moved it so that it's now on demand when it's actually being used.

What to do if you don't have root login?

If you find you don't have these packages installed and aren't able to install them then your options become far fewer.

I would take a look at the Samba article in the ArchLinux Wiki, it covers other methods as well. You could also make use of FUSE to mount a variety of types of media as local directories, including SMB/CIFS. This is covered in the FUSESmb article on the Ubuntu Wiki.