0

Problem: Customer would like to make sure that the script I've developed in Python, running under CentOS7, can sufficiently obscure the credentials required to access a protected web service (that only supports Basic Auth) such that someone with access to the CentOS login cannot determine those credentials.

Discussion: I have a Python script that needs to run as a specific CentOS user, say "joe". That script needs to access a protected Web Service. In order to attempt to make the credentials external to the code I have put them into a configuration file. I have hidden the file (name starts with a period "."), and base64 encoded the credentials for obscurity, but the requirement is to only allow the Python script to be able to "see" and open the file, vs anyone with access to the CentOS account.

Even though the file is hidden, "joe" can still do an ls -a and see the file, and then cat the contents.

As a possible solution, is there a way to set the file permissions in CentOS such that they will only allow that Python script to see and open the file, but still have the script run under the context of a CentOS account?

Martijn Pieters
  • 1,048,767
  • 296
  • 4,058
  • 3,343
jolin-nexthink
  • 1
  • 2
  • 1
    This is not really possible. Could you explain why you want to? What are you trying to prevent `joe` from doing? It's likely we'll need to examine the larger context lest this become an [XY problem](https://meta.stackexchange.com/questions/66377/what-is-the-xy-problem). – John Kugelman Apr 16 '20 at 18:15
  • Thanks @JohnKugelman. I've tried to re-phrase the question to avoid this becoming an XY problem. – jolin-nexthink Apr 17 '20 at 23:12

1 Answers1

0

Naive solution

For this use-case I would probably create with a script (sh or zsh or whatever, but I guess u use the default one here) a temporal user iamtemporal-and-wontstayafterifinish. Then creating the config file for being able to read ONLY by specifically this user (and none permission for all the others). Read here for the how: https://www.thegeekdiary.com/understanding-basic-file-permissions-and-ownership-in-linux/

Getting harder

If the problem still raises in case someone would have root-rights (for any such reason), then just simply forget everything above, and start planning for a vacation, cuz' this will be a lot longer then anyone would think. Is not anymore a simple python problem, but needs a different business logic. The best u could do is to implement (at least this credentials handling part) in a low-level language so could handle memory in a customized way and ask for them runtime only, don't store them... Or maybe if u could limit the scope of this user accesses towards the protected Web Service as u say.

Bonus

Even tho it wasn't explicitly asked, I would discourage you from storing credentials with using a simple base64... For this purpose a simple solution could be the following one at least (without the knowledge of the whole armada of cryptography):

  • encrypt the passw with a asymmetric cryptographic algorithm (probably RSA with a huge key
  • inject the key for decryption as a env var while you have an open ssh session to the remote terminal
  • ideally u use this key only while u decrypt and send it, afterwards make sure u delete the references to the variables

Sidenote: it's still filled with 'flaws'. If security is really a problem, I would consider changing technology or using some sort of lib that handles these stuff more securely. I would start probably here: Securely Erasing Password in Memory (Python) Not to mention memory dumps can be read 'easily' (if u know what u are looking for...): https://cyberarms.wordpress.com/2011/11/04/memory-forensics-how-to-pull-passwords-from-a-memory-dump/ So yeah, having a key-server which sends you the private key to decrypt is not enough, if you read these last two web entries...

Hunor Portik
  • 56
  • 5