Unix shell error after encrypting a script file

Question

I have 2 shell scripts - one calling another script. callouter.sh, callscript.sh.

callouter.sh :

export oraSchemaPass='scott/tiger'
echo 'This script is about to run another script'
sh ./callscript.sh

callscript.sh :

sqlplus -S ${oraSchemaPass} @/home/scripts/callscript.sql

callscript.sql is :

set pagesize 1000
select * from emp;
EXIT

This works perfectly fine. No error whatsoever. This is korn shell by the way.

Now I did 2 things :

1. encrypted the callouter.sh using openssl :

   openssl enc -e -aes-256-cbc -salt -a -in /home/scripts/callouter.sh -out /home/scripts/callouter.enc -pass pass:W3lc0m3987
   

The file encrypted successfully.

2. Replaced the callouter.sh content with :

   eval $( /home/scripts/decrypt.sh /home/scripts/callouter.enc )
   

Content of decrypt.sh is :

openssl enc -d -e -aes-256-cbc -a -in $1 -pass pass:W3lc0m3987

Now when I run callouter.sh I get the below error :

./callouter.sh: Line 1: export: `This script is about to run another script': not a valid identifier
./callouter.sh: Line 1: export: `./callscript.sh': not a valid identifier

Can anyone help me with how to resolve the error? I searched the error on net and it has got to do with invalid variables and improper uses of inverted quotes. I double checked my scripts and I got no such mistakes. I am starting to think the encrypted file is causing this.

Edit : purpose is to hide the password of Oracle schema. Yes for the purpose of the question I used the decrypt.sh. In the environment decrypt.sh will be accessed only by the user calling the scripts. And for that we have set up an environment variable SEC_DIR which will be the home directory of each user. So for example user 'A' will have SEC_DIR as /home/A/dev/sec_dir. Inside this decrypt.sh will be placed.

Answer 1

In general I do not recommend your approach of hiding a password by encrypting it using a second password. This does not add any real protection, only a bit more work to get the password.

In any case, everyone who can read both the encrypted data and the script decrypt.sh with its embedded decryption password can get the cleartext data.

Anyway, here is a possible solution:

1. Instead of encrypting a script with embedded login data I suggest to encrypt a file that contains only the login data as text.

Example:

login.txt

scott/tiger

Encrypt in the same way:

openssl enc -e -aes-256-cbc -salt -a -in login.txt -out login.enc -pass pass:W3lc0m3987

Use the decryption in your script callscript.sh, e.g.

sqlplus -S "$( /home/scripts/decrypt.sh login.enc )" @/home/scripts/callscript.sql

---

2. Another option based on your approach might be

/home/scripts/decrypt.sh /home/scripts/callouter.enc | /bin/bash

(Replace /bin/bash with the shell you want to use.)

---

The error export: `something': not a valid identifier results from using $( ... ) without quotes. Example:

$ printf "a\nb\nc\n"
a
b
c

$ echo x$(printf "a\nb\nc\n")y
xa b cy

$ echo x"$(printf "a\nb\nc\n")"y
xa
b
cy

3. This means you could also use

eval "$( /home/scripts/decrypt.sh /home/scripts/callouter.enc )"

---

From the 3 proposed solutions I recommend the solution 1 as the least evil. Solution 1 passes the output of your command as an argument to sqlplus while 2 and 3 execute the command's output by a shell which is a higher security risk.