Kleuskes & Moos
6/2/2011 9:56:00 AM
On Jun 2, 10:22 am, JohnF <j...@please.see.sig.for.email.com> wrote:
> I have a C program, used as a public cgi, where a few
> of the commands it recognizes and runs should be
> restricted to "authorized users". The consequences
> of unauthorized use aren't horrendous, so I'm just
> looking for enough security to keep out the riff-raff.
> What's easy for me to implement is something like
> #if !defined(PASSWORD)
> #define PASSWORD "default_password"
> #endif
> static char password[129]=PASSWORD;
> and compile it with
> cc -DPASSWORD=\"secret_password\" etc.
> and then make users enter an extra directive
> \password{secret_password}
> whenever they want to access restricted commands.
>
> But compiled like this, the strings command run
> against the cgi executable image would show the
> compiled-in password. Again, the consequences
> wouldn't be horrendous. But is there a way to
> gently scramble the password a bit so the
> executable image doesn't show it quite so easily,
> and the code just unscrambles it whenever needed?
> A constraint is that the person compiling the
> program must still be able to enter the unscrambled
> cc -DPASSWORD=\"secret_password\" etc.
> And I also don't want that person to need a separate
> small scrambling program, whereby he'd then enter
> cc -DPASSWORD=\"$(scramble secret_password)\" etc.
> So the scrambling must, I suppose, take place at
> compile time, at the preprocessor level, while the
> corresponding unscrambling would be done by the
> program during execution. ... Or something like that.
> Thanks for any suggestions,
There's several, especially if security isn't a big issue, try rot13,
but keep in mind this will only obfuscate the pw, not encrypt it.
Alternetively, you could XOR the chars in the password with some known
value, thus obfuscating it.
Mind you, neither method is safe in the face of a determined hacker.