Avoid storing passwords as plaintext?

Question

So this is my code: https://github.com/trisimix/serialcontrol/blob/master/serialcontrol.py

import subprocess
import os
import stat
dmi = subprocess.check_output('dmidecode', shell=True)
#print(variable)
#run program once as root then cron it as root
try :
    file = open("/var/log/serialcontrol/dmidecode.txt", "r")
    file.close()
except FileNotFoundError:
    script = '/var/tmp/serialcontrol.bash'
    with open(script, 'w') as file:
        file.write("#!/bin/bash/\nif [ ! -d /var/log/serialcontrol/ ]\nthen\n\tmkdir /var/log/serialcontrol/\nfi");
    #st = os.stat(script)

    #os.chmod(script, st.st_mode | stat.S_IEXEC)

    subprocess.call(["bash", script])
    subprocess.call(["rm", script])
#with open('/var/log/serialcontrol/dmidecode.txt' , 'w') as file:
#        file.write(dmi);
file = open("/var/log/serialcontrol/dmidecode.txt" , "w");
dmi = str(dmi)
dmi = dmi.replace('\\n', '\n')
dmi = dmi.replace('\\t', '\t')
file.write(dmi)
file.close()
script2 = '/var/log/serialcontrol/serialcontro1.bash'
#with open(script2, 'w') as file:
#   file.write('#!/bin/bash\nrecipients="archmachine9@gmail.com"\nsubject="...Subject..."\necho -e "to: $recipients\nsubject: $subject\n"| (cat - &&uuencode /var/log/serialcontrol/dmidecode.txt) | ssmtp archmachine9@gmail.com')
import smtplib
sender = 'archmachine9@gmail.com'
receivers = 'archmachine9@gmail.com'
message = "\r\n".join([
    "From: archmachine9@gmail.com",
    "To: archmachine9@gmail.com",
    "Subject: SerialControl",
    "",
    dmi
    ])
username = 'archmachine9@gmail.com'
password = ''
server = smtplib.SMTP('smtp.gmail.com:587')
server.ehlo()
server.starttls()
server.login(username,password)
server.sendmail(sender, receivers, message)
server.quit()
#subprocess.call(["bash", script2])
#this sub is supposed to /n with actual /n's
#subprocess.run(["sed -i 's/\\n/\n/g' /var/log/serialcontrol/dmidecode.txt"], shell=True)
#except FileNotFoundError:
#file = open('/var/tmp/serialcontrol.bash', 'w') 
#file.write("#!/bin/bash/\nif [ ! -d /var/log/serialcontrol/]\nthen\n\tmkdir /var/log/serialcontrol/\nfi");
#file.close()
#st = os.stat("/var/tmp/serialcontrol.bash")
#os.chmod("/var/tmp/serialcontrol.bash", st.st_mode | stat.S_IEXEC)
#subprocess.call("/var/tmp/serialcontrol.bash")

I know it's really, really, really, really, REALLY, bad but in the password segment I have to type my password before I cron this script and the password gets stored as plaintext, how fix?

Answer 1

As you tagged the question with bash I shall assume that you use a Linux or Unix-like system.

That is what I would call a machine password. If you want it to be used from a script launched via cron, it must be accessible somewhere on the disk.

The correct (or less bad) way is to:

• use a dedicated mail account for that usage - not you personal mail account (but archmachine9 is a hint that you have already done that...) - ideally it should be impossible to login with this account (a single*` in the password field for example)
• use a system account on the machine - neither root nor you main local account
• store the password in a file located under the home directory of that system account. The password should be read/write only for owner
• extract the username, password and eventually server from the environment
• if you cannot find one of them, read them from the file
• alternatively embed the script in a launcher that read the credentials from the file, and put them in the environment before starting the real script (my favorite option)

That way, even if the mail account is shared over different scripts, you will have one central point to change the password, and as it is stored in a file only accessible to a system account, only the machine admin (root) should be able to read it. And you do not have to know it to develop, maintain and test the script, you will just have to put a test mail account in your dev environment

TL/DR: the password has to be stored as plaintext on the machine for the script to be launchable via cron, but it shall not be in the script itself