Overclock.net › Forums › Software, Programming and Coding › Operating Systems › Linux, Unix › Making CRON run a PHP command. Do other people see the password when it has been stored? And how to make it run workdays during work hours
New Posts  All Forums:Forum Nav:

Making CRON run a PHP command. Do other people see the password when it has been stored? And how to make it run workdays during work hours

post #1 of 8
Thread Starter 
I was wondering if the below command will make other able to see the username and password it contains when it is once started, if they have shell access?

php "/administrator/components/com_csvi/helpers/cron.php" username="user" passwd="password"


Also, the above command is not complete, and I'm not very good at this either. I have the possibility to Putty, so would I write the following :

crontab
00 09-18 * * 1-5 php "/administrator/components/com_csvi/helpers/cron.php" username="user" passwd="password"

It's for virtuemart stock updating.

Thanks for any replies smile.gif
post #2 of 8
yes if they run a "ps -a" they should be able to see the username and passwords fields. Not sure what you are trying to do but could you just hardcore the username and password in the file(making sure permissions are correct so anyone else can't read)?


also i usually do my cron jobs like this:

0 9,18 * * 1,5 /path_to_script

every 9 and 18th hour at zero minutes on Monday and Friday run this script.
Edited by SweetAndLow - 3/29/12 at 10:06am
post #3 of 8
Thread Starter 
I'm not that good at Linux or Unix, I tend to only remembering cd and ls 900x900px-LL-82b7ef9a_156069424920.png
Hardcore a file? Do you mean make a cron script, and lock down the permissions to the script file?

I have never done a cron before I think. I'm seldom on a linux or unix server through shell.
post #4 of 8
Users will be able to see the password if they can see crontab.

He probably meant hardcode. If you hardcode the password within the file AND only higher account can read/execute the file, users should not be able to get the password as easily.
Once again...
(13 items)
 
  
CPUMotherboardGraphicsRAM
i7 920 [4.28GHz, HT] Asus P6T + Broadcom NetXtreme II VisionTek HD5850 [900/1200] + Galaxy GT240 2x4GB G.Skill Ripjaw X [1632 MHz] 
Hard DriveOSMonitorKeyboard
Intel X25-M 160GB + 3xRAID0 500GB 7200.12 Window 7 Pro 64 Acer H243H + Samsung 226BW XARMOR-U9BL  
PowerCaseMouseMouse Pad
Antec Truepower New 750W Li Lian PC-V2100 [10x120mm fans] Logitech G9 X-Trac Pro 
  hide details  
Reply
Once again...
(13 items)
 
  
CPUMotherboardGraphicsRAM
i7 920 [4.28GHz, HT] Asus P6T + Broadcom NetXtreme II VisionTek HD5850 [900/1200] + Galaxy GT240 2x4GB G.Skill Ripjaw X [1632 MHz] 
Hard DriveOSMonitorKeyboard
Intel X25-M 160GB + 3xRAID0 500GB 7200.12 Window 7 Pro 64 Acer H243H + Samsung 226BW XARMOR-U9BL  
PowerCaseMouseMouse Pad
Antec Truepower New 750W Li Lian PC-V2100 [10x120mm fans] Logitech G9 X-Trac Pro 
  hide details  
Reply
post #5 of 8
Thread Starter 
But a higher user probably can get that password elsewhere in the system right? biggrin.gif

But I can also encrypt the password in the file right, so it isn't overly easy to pick it up? smile.gif
post #6 of 8
Quote:
Originally Posted by NorxMAL View Post

But a higher user probably can get that password elsewhere in the system right? biggrin.gif
But I can also encrypt the password in the file right, so it isn't overly easy to pick it up? smile.gif

No... if the password is in the file.... only those with read permission to the file can read it.

No... You cannot encrypt a password in the file. The password could be in a separate encrypted file and you can pass your code the key to decrypt but your stuck again that someone can get the key.


Note that not allowing file permissions is not encryption nor is it that secure. There are ways to bypass OS permissioning.
Once again...
(13 items)
 
  
CPUMotherboardGraphicsRAM
i7 920 [4.28GHz, HT] Asus P6T + Broadcom NetXtreme II VisionTek HD5850 [900/1200] + Galaxy GT240 2x4GB G.Skill Ripjaw X [1632 MHz] 
Hard DriveOSMonitorKeyboard
Intel X25-M 160GB + 3xRAID0 500GB 7200.12 Window 7 Pro 64 Acer H243H + Samsung 226BW XARMOR-U9BL  
PowerCaseMouseMouse Pad
Antec Truepower New 750W Li Lian PC-V2100 [10x120mm fans] Logitech G9 X-Trac Pro 
  hide details  
Reply
Once again...
(13 items)
 
  
CPUMotherboardGraphicsRAM
i7 920 [4.28GHz, HT] Asus P6T + Broadcom NetXtreme II VisionTek HD5850 [900/1200] + Galaxy GT240 2x4GB G.Skill Ripjaw X [1632 MHz] 
Hard DriveOSMonitorKeyboard
Intel X25-M 160GB + 3xRAID0 500GB 7200.12 Window 7 Pro 64 Acer H243H + Samsung 226BW XARMOR-U9BL  
PowerCaseMouseMouse Pad
Antec Truepower New 750W Li Lian PC-V2100 [10x120mm fans] Logitech G9 X-Trac Pro 
  hide details  
Reply
post #7 of 8
Thread Starter 
This is a commercial web hosting service, so if one does such things they would probably get caught?

I have to stop being so paranoid, I just have to avoid being really stupid in how I set this up redface.gif

The password and username will be a admin on my joomla website.
Edited by NorxMAL - 3/29/12 at 1:01pm
post #8 of 8
http://curl.haxx.se/docs/manpage.html
http://curl.haxx.se/docs/faq.html#How_do_I_keep_user_names_and_pas

do you have to use your admin account? probably not.

whatever runs this process should be either a minimum permissions account or nobody:nobody. don't just use root's crontab... rolleyes.gif sudo -u nobody[or your svc acct] -c 'crontab -e'

the problem of hiding the password can be taken much further if you need, but even if you do that it could still be disassembled. if someone __really wants in, you're probably not going to stop it, all you can do is add layers upon layers, each is hopefully a bit stronger than the one before it, but ALL of them have a hole. The entire concept of computer security ultimately rests on the fact that it is "hard" to factor a product of two large primes back down the two factors. TLS was just cracked, and if the Riemann hypothesis is ever proven, it will be chaos.

as the curl document says, if your site is using basic auth (probably) it is a joke to get your password. eavesdrop on the header, base64 decode, there it is
Edited by lloyd mcclendon - 3/29/12 at 9:51pm
stable again
(25 items)
 
  
CPUCPUMotherboardGraphics
E5-2687W E5-2687W ASUS Z9PED8-WS EVGA GTX 570 (Linux host) 
GraphicsRAMHard DriveHard Drive
EVGA GTX 970 FTW (win7 guest) 64GB G.SKILL 2133 2x Crucial M4 256GB raid1 4x 3TB raid 10 
CoolingCoolingCoolingCooling
2x Apogee HD  2x RX 480 2x MCP 655 RP-452x2 rev2 (new) 
CoolingCoolingOSOS
16x Cougar Turbine CFT12SB4 (new) EK FC 580 Gentoo (host) Gentoo (x23 guests) 
OSMonitorMonitorPower
windows 7 (guest w/ vfio-pci) Viewsonic 23" 1080P Viewsonic 19" Antec HCP Platinum 1000 (new) 
CaseOtherOther
Case Labs TH10 (still the best ever) 2x Lamptron FC-5 IOGEAR 2 way DVI KVM Switch 
  hide details  
Reply
stable again
(25 items)
 
  
CPUCPUMotherboardGraphics
E5-2687W E5-2687W ASUS Z9PED8-WS EVGA GTX 570 (Linux host) 
GraphicsRAMHard DriveHard Drive
EVGA GTX 970 FTW (win7 guest) 64GB G.SKILL 2133 2x Crucial M4 256GB raid1 4x 3TB raid 10 
CoolingCoolingCoolingCooling
2x Apogee HD  2x RX 480 2x MCP 655 RP-452x2 rev2 (new) 
CoolingCoolingOSOS
16x Cougar Turbine CFT12SB4 (new) EK FC 580 Gentoo (host) Gentoo (x23 guests) 
OSMonitorMonitorPower
windows 7 (guest w/ vfio-pci) Viewsonic 23" 1080P Viewsonic 19" Antec HCP Platinum 1000 (new) 
CaseOtherOther
Case Labs TH10 (still the best ever) 2x Lamptron FC-5 IOGEAR 2 way DVI KVM Switch 
  hide details  
Reply
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Linux, Unix
Overclock.net › Forums › Software, Programming and Coding › Operating Systems › Linux, Unix › Making CRON run a PHP command. Do other people see the password when it has been stored? And how to make it run workdays during work hours