digital adj. Having digits.     peer n. A comrade; a companion; a fellow; an associate. inmotion    
   
Recent Articles
Handling a Subversion Repository URL Change
Sunday, May 3, 2009
If your repository URL changes, you can use the following command to fix existing snapshots.
vfat Mounts Default to Lowercase Shortnames
Tuesday, April 21, 2009
I want a "this is brain-damage" quote from Linus for this mess.
VirtualBox or VMWare Virtual Machine at Login
Sunday, April 12, 2009
How to start a virtual machine in X when a user logs in.
Dialog Progress Bar Through Pipe
Sunday, April 12, 2009
How to use dialog to display a script progress bar and communicate progress to it through a named pipe.
Mount JFFS2 Image
Saturday, October 25, 2008
Example of how to mount a JFFS2 image using mtdblock.
Ottawa Linux Symposium 2008
Sunday, July 27, 2008
Here are some pictures from the 2008 Linux Symposium.
Linux Symposium 2008
Sunday, July 20, 2008
I'll be attending the Linux Symposium this year.
Clay Shirky: Institutions vs. collaboration
Monday, July 14, 2008
This is a rather interesting talk that takes some very foundational ideas from open source software development, P2P networks, and social networking and implies that these paradigms can apply to a lot more.

I will always love the false image I had of you.

Projects-User...-safepwd -...

safepwd - Shadow Credentials for Your Program Binary

Thursday, August 19, 2004 by digitalpeer

This is a Linux application that validates a parent, invoking binary and returns associated passwords to it. This creates a application -> password validation and not a user -> application validation.

An Example for Needing This


This is a secure solution to applications that need to have credentials embedded in them to access something else. Of course, this will only be valid for a local network and doesn't really apply to Internet applications and the like.

Say you need to access a MySQL database with your application. You have it all setup to do that, but now you have to include the password in the binary or even worse, in the source code. Considering that your application is an open source application, it makes your compiled in credentials useless and your database wide open. What this will allow you to do is query credentials stored in a protected file, only accessible through the safepwd application. This is similar to how Linux shadowed passwords work. However, while this system relies on Linux file permissions, it does not use Linux accounts.

How it Works


safepwd and safe.txt are stored somewhere on your network. safe.txt is only readable by root or some other user. safepwd, when invoked by any user, runs as root so it can read the safe.txt file (chmod u+s safepwd).

safepwd is invoked as child process in your application. safepassword will then compute a MD5 hash of your application binary and based on that, supply it with the password it needs from a password file. This ensures that only a validated compilation of your binary has access to the credentials. The user never even sees any of this nor does he or she have access to the credentials themselves. Your credentials are stored safely in a remote file and not in the binary or world readable files. Any user can run your application and have access to your database soley through your application.

This can be extremely useful if you have an open source application and a bunch of users that should not have access directly to your database by any other means than your application.

image-396

Making it Work


See the INSTALL file in the root of the source code.

Advantages



Drawbacks



Possible Security Breaches


I can't really think of any right now. Please let me kow if you think of a way around this. This was pretty much a quick solution for a problem I've always had.


Submit Comment to This Article - Be the first!
Please post a comment if you have something to add, find something wrong, or would like more information on the topic at hand. Do not use the comment form to contact the author about unrelated concerns!

Name: Email (optional):
Enter verification number here: