how to hide oracle instance name within dbi code??

We have a requirement here that we can't hard code any oracle database
instance name for security reasons. Is there any way we can pass the
connection string (for example, the oracle tnsname alias), or put the
instance name in a configuration file and somehow pass the information
from the configuration to the DBI code, so that the public won't see
the actual instance name in the code???? I know we can do that in many
other languages, but, can we do that using DBI for oracle???


use strict;
use DBI;

my $dbh = DBI->connect( 'dbi:Oracle:orcl',
'jeffrey',
'jeffspassword',
);



Thanks a lot for any input.

Linda

Re: how to hide oracle instance name within dbi code??

> We have a requirement here that we can't hard code any oracle database
> instance name for security reasons. Is there any way we can pass the
> connection string (for example, the oracle tnsname alias), or put the
> instance name in a configuration file and somehow pass the information
> from the configuration to the DBI code, so that the public won't see
> the actual instance name in the code???? I know we can do that in many
> other languages, but, can we do that using DBI for oracle???

How can you do that in other languages? If you have strings in the
executable file, they can be discovered.

You could read the data from a file (the file could even be encrypted)
and pass it to connect(), or get it out of the environment.

> use strict;
> use DBI;
>
> my $dbh =3D DBI->connect( 'dbi:Oracle:orcl',
> 'jeffrey',
> 'jeffspassword',
> );
>
>
>
> Thanks a lot for any input.
>
> Linda
>
>

RE: how to hide oracle instance name within dbi code??

Create your own module as exporter, db.pm for example, like something =
below. Place the file in any location specified in @INC, then call it =
in the perl program "use db;".

package db;

BEGIN {
use Exporter();
@ISA =3D qw(Exporter);
@EXPORT =3D qw( $oUser $oPass $oString);
}

$oUser =3D "username";
$oPass =3D "passwork";
$oString =3D "connect_string";

return 1;

END {};

-----Original Message-----
From: Linda Ding [mailto:lding@broad.mit.edu]
Sent: Thursday, April 13, 2006 9:59 AM
To: dbi-users@perl.org
Subject: how to hide oracle instance name within dbi code??


We have a requirement here that we can't hard code any oracle database=20
instance name for security reasons. Is there any way we can pass the=20
connection string (for example, the oracle tnsname alias), or put the=20
instance name in a configuration file and somehow pass the information=20
from the configuration to the DBI code, so that the public won't see=20
the actual instance name in the code???? I know we can do that in many=20
other languages, but, can we do that using DBI for oracle???


use strict;
use DBI;

my $dbh =3D DBI->connect( 'dbi:Oracle:orcl',
'jeffrey',
'jeffspassword',
);


=20
Thanks a lot for any input.

Linda

Re: how to hide oracle instance name within dbi code??

If "the public" can see your code, "they" also can see where the
configuration file is stored and how it is parsed. Nothing gained if
"they" have read access to the configuration file.

Think about using DBD::Proxy to connect to a proxy server running on a
separate, well protected machine that finally connects to oracle.

Think about setting proper permissions on your files, makings sure "the
public" does *NOT* have read access. (chmod o-rwx *.pl *.pm)

And please explain your environment a little bit more in detail so we
may find a proper solution. Why do you think "the public" has read
access to your code? Do you talk about placing files on a webserver? Put
your files somewhere outside the document root directory and outside the
cgi-bin directory and use "use lib '/path/to/your/protected/directory';"
before loading your modules.

Alexander

On 13.04.2006 15:59, Linda Ding wrote:

> We have a requirement here that we can't hard code any oracle database
> instance name for security reasons. Is there any way we can pass the
> connection string (for example, the oracle tnsname alias), or put the
> instance name in a configuration file and somehow pass the information
> from the configuration to the DBI code, so that the public won't see
> the actual instance name in the code???? I know we can do that in many
> other languages, but, can we do that using DBI for oracle???
>
>
> use strict;
> use DBI;
>
> my $dbh = DBI->connect( 'dbi:Oracle:orcl',
> 'jeffrey',
> 'jeffspassword',
> );
>
>
>
> Thanks a lot for any input.
>
> Linda
>


--
Alexander Foken
mailto:alexander@foken.de http://www.foken.de/alexander/

Re: how to hide oracle instance name within dbi code??

On 13.04.2006 16:42, Luke Bakken wrote:

>How can you do that in other languages?
>
Good question.

>If you have strings in the
>executable file, they can be discovered.
>
>
They could be encrypted, using something trivial like rot13 or xor, or
even good encryption algortihms like 3DES, blowfish, etc., and still
they can be recovered. See below.

>You could read the data from a file (the file could even be encrypted)
>
>
.... and because you need the decryption key and the decryption algorithm
in the program, nothing is gained.

You make it a little bit harder for a script kiddie to find the connect
data, but for someone with a motivation, this is just a little bit more
work.

>and pass it to connect(), or get it out of the environment.
>
>

Try strings /proc/self/environ on any linux box. The environment is not
the best place to save sensitive data, nor is the command line.

Encryption does not help here. Make sure your application server is
properly protected: Remove all unneeded applications and services, place
it behind a firewall, make sure no one can login on the server except a
crew of qualified administrators.

Alexander

--
Alexander Foken
mailto:alexander@foken.de http://www.foken.de/alexander/

Re: how to hide oracle instance name within dbi code??

--kbCYTQG2MZjuOjyn
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On 2006-04-13 09:59:02 -0400, Linda Ding wrote:
> We have a requirement here that we can't hard code any oracle database in=
stance=20
> name for security reasons.
[...]
> my $dbh =3D DBI->connect( 'dbi:Oracle:orcl',
> 'jeffrey',
> 'jeffspassword',
> );

I'd be a lot more worried about the password than the instance name in
this case.

> Is there any way we can pass the connection string=20
> (for example, the oracle tnsname alias), or put the instance name in a=20
> configuration file

This question sounds like "can I read files in perl?" and I'm sorely
tempted to answer "yes, of course" and leave it at that.=20

But I'm assuming that you want to know how other people solve this (very
common and also rather trivial) problem, so I'm posting the code I use
in DBI programs:

sub init {
my ($self, %opts) =3D @_;

my $cred_file =3D $opts{credential_file} || $ENV{DBI_CREDENTIAL_FILE} |=
| "default";
if ($cred_file !~ m{/}) {
$cred_file =3D "$ENV{HOME}/.dbi/$cred_file";
}

$self->{dbh} =3D DBI->connect(_read_cred($cred_file),
{ RaiseError =3D> 1, AutoCommit =3D> 0 });

# ... more initialization stuff ...
}

# read credits from file
sub _read_cred {
my ($fn) =3D @_;

open(FN, "<$fn") or die "cannot open $fn: $!";
my $line =3D ;=20
close(FN);
my @cred =3D split(/[\s\n]/, $line);=20
return @cred;
}

This is taken from a module which manages mail messages in a database.
init is an object method which connects to the database and does some
other initialization stuff.=20

It can be called like=20

$store->init(credential_file =3D> '/var/lib/www/offline/webmail/dbi/con=
nect_data');

in which case it will read that file. If no file is specified it will
use the environment variable DBI_CREDENTIAL_FILE instead or fall back to
"default" if that isn't set either. If the filename doesn't start with a
slash it is relative to ~/.dbi. So I can configure various databases
in my ~/.dbi directory and run my scripts against each of them by just
changing the DBI_CREDENTIAL_FILE env variable.

hp

--=20
_ | Peter J. Holzer | If I wanted to be "academically correct",
|_|_) | Sysadmin WSR | I'd be programming in Java.
| | | hjp@wsr.ac.at | I don't, and I'm not.
__/ | http://www.hjp.at/ | -- Jesse Erlbaum on dbi-users

--kbCYTQG2MZjuOjyn
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iQDQAwUBRD5yN1LjemazOuKpAQKO9AXUCaP7GKpQaO+n7PNSRV6NYPQTW2DE 6lAp
EnFwXH5EQ8YHZdkNBdNX0iXjibnQi3MJhMJtCn7Ox6FB0qPOGJBvZyyqiKLj 7U2N
mZOL38qZQg0iuYnYvRuFzAf2t1MRe10rnXBV7RP+AiIijo1PepHeYNoFQh8l GUt1
OTziaXAOinaHHeJpLKJq8i0VI1mJD/Cxe/3I6sZOWEdBCRFNjMav8V7D1H70 ZeqQ
SA3WN7PirXA3L7ROv/PltcaL2Q==
=X1xp
-----END PGP SIGNATURE-----

--kbCYTQG2MZjuOjyn--

Re: how to hide oracle instance name within dbi code??

--EDJsL2R9iCFAt7IV
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On 2006-04-13 17:01:25 +0200, Alexander Foken wrote:
> On 13.04.2006 16:42, Luke Bakken wrote:
> >If you have strings in the executable file, they can be discovered.
> >=20
> They could be encrypted, using something trivial like rot13 or xor, or ev=
en=20
> good encryption algortihms like 3DES, blowfish, etc., and still they can =
be=20
> recovered. See below.

That depends. If the program is used interactively, encrypting stored
passwords makes sense. See for example the way Mozilla stores passwords
for web sites. The user enters a master password to decrypt the stored
passwords, which limits attacks to the time he is actually using the
program. If someone gets access to the file with the stored passwords
(e.g., by stealing the computer or a backup) he cannot access the
passwords.

If the program is used non-interactively (e.g. a web server), encrypting
stored passwords is useless, because the key has to be stored as well.=20

Removing passwords and similar sensitive information from the code and
putting them into configuration files still makes a lot of sense:

1) You can publish the source code.

2) You let several of your users use the same scripts and let each of
them manage their own passwords.

3) It centralizes information in one place - you just have to change one
config file instead of umpteen scripts.

[...]
> Try strings /proc/self/environ on any linux box.

Not very impressive. That's the environment of the process itself. It
can access that anyway :-).

Try /proc/$pid/environ for a process which you do not own. You cannot
read that unless you are root. So on linux, putting sensitive data into
the environment is about as safe as putting them into a file.




--=20
_ | Peter J. Holzer | If I wanted to be "academically correct",
|_|_) | Sysadmin WSR | I'd be programming in Java.
| | | hjp@wsr.ac.at | I don't, and I'm not.
__/ | http://www.hjp.at/ | -- Jesse Erlbaum on dbi-users

--EDJsL2R9iCFAt7IV
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iQDQAwUBRD52wFLjemazOuKpAQLR7gXRAVyDv7aXc2KeziToqAGfiDBR6Zii O96A
GrAZmX2QSl1NYadMaKSoZ5lxNSnJyg0blFh5eSRkyAyb6edVVPAcyyIUOgCB CS/9
bD4j1yYLfa0ABIPKMreTF9pcI644JBp5gUT+LeIo6o+rnr/44KywK29BpFQd YslN
hxlAPMoS4hvhJmujL684AJ/NATWcjD60yGvezJyxX2tzT+j9jAa4MXxKkTkD /kvD
i47AH1LCgiL4aP7AHM53FQKqEw==
=XI4M
-----END PGP SIGNATURE-----

--EDJsL2R9iCFAt7IV--

Re: how to hide oracle instance name within dbi code??

On 4/13/06, Linda Ding wrote:
> We have a requirement here that we can't hard code any oracle database
> instance name for security reasons. Is there any way we can pass the
> connection string (for example, the oracle tnsname alias), or put the
> instance name in a configuration file and somehow pass the information
> from the configuration to the DBI code, so that the public won't see
> the actual instance name in the code???? I know we can do that in many
> other languages, but, can we do that using DBI for oracle???
>
>
> use strict;
> use DBI;
>
> my $dbh =3D DBI->connect( 'dbi:Oracle:orcl',
> 'jeffrey',
> 'jeffspassword',
> );

I think the OP's question is more simple than what is being answered.=20
It looks like she doesn't realize she can use a variable instead of a
hard coded literal in the connect method.

Linda,

Your connect can look like:

my $dbh =3D DBI->connect( $connect_string, $userid, $password);

You are free to use whatever way you choose to populate the
$connect_string, $userid, and $password variables. There are probably
about a million different ways to choose from.

Jay

Re: how to hide oracle instance name within dbi code??

On Thu, 13 Apr 2006 17:46:00 +0200, Peter J. Holzer wrote:

Hi Peter

> $store->init(credential_file =3D>
> '/var/lib/www/offline/webmail/dbi/connect_data');

And if for some reason you put the config file in a directory from which the=

client can run scripts, i.e. alongside *.cgi, you can call the file
..ht$something, and use Apache's config file to block access to files with=
names
like /^\.ht.+/.
--
Cheers
Ron Savage, ron@savage.net.au on 14/04/2006
http://savage.net.au/index.html
Let the record show: Microsoft is not an Australian company