Is it safe to write a FTP password on a Perl script?

Question

I am writing a Perl script that should connect to a FTP server at some point.

I use Net::FTP module and the login() method to connect, but I am wondering if it is safe to write the password directly in the script. I will chmod the file access to 711, but I am not sure that's enough.

Is there a way to pass the password to the method in a safer way?

Answer 1

If you don't want others on the machine to execute it, chmod 700. There's a number of reasons why it's a good idea for the password to be in a separate file. If you move the password to a config file, that file should be chmod 600.

---

If you want others on the machine to execute it, chmod 711 isn't going to work. perl must be able to read the script to execute it, so you'd need chmod 755, which means they'll be able to see the password.

The only solution that comes to mind involves file permissions and a set-uid script.

1. Move the password in a config file.
2. Create a user to own this application. Let's call it scriptuser. (You could your existing user, but keep in mind the script will be executing as that user.)
3. chown scriptuser script.pl script.conf.
4. chmod 600 script.conf
5. chmod 4755 script.pl

Use script.pl (not perl script.pl) to execute it.

Answer 2

There's no way to securely provide a password in a script, yet allow automatic execution.

You have to store the password somewhere.

It might be better to store it to an external file, so that you do not have to hide away your whole script. For example you might want to have your script reviewed and put to code repository, without the password.