0

I have 2 shell scripts - one calling another script. callouter.sh, callscript.sh.

callouter.sh :

export oraSchemaPass='scott/tiger'
echo 'This script is about to run another script'
sh ./callscript.sh

callscript.sh :

sqlplus -S ${oraSchemaPass} @/home/scripts/callscript.sql

callscript.sql is :

set pagesize 1000
select * from emp;
EXIT

This works perfectly fine. No error whatsoever. This is korn shell by the way.

Now I did 2 things :

  1. encrypted the callouter.sh using openssl :

    openssl enc -e -aes-256-cbc -salt -a -in /home/scripts/callouter.sh -out /home/scripts/callouter.enc -pass pass:W3lc0m3987

The file encrypted successfully.

  1. Replaced the callouter.sh content with :

    eval $( /home/scripts/decrypt.sh /home/scripts/callouter.enc )

Content of decrypt.sh is :

openssl enc -d -e -aes-256-cbc -a -in $1 -pass pass:W3lc0m3987

Now when I run callouter.sh I get the below error :

./callouter.sh: Line 1: export: `This script is about to run another script': not a valid identifier
./callouter.sh: Line 1: export: `./callscript.sh': not a valid identifier

Can anyone help me with how to resolve the error? I searched the error on net and it has got to do with invalid variables and improper uses of inverted quotes. I double checked my scripts and I got no such mistakes. I am starting to think the encrypted file is causing this.

Edit : purpose is to hide the password of Oracle schema. Yes for the purpose of the question I used the decrypt.sh. In the environment decrypt.sh will be accessed only by the user calling the scripts. And for that we have set up an environment variable SEC_DIR which will be the home directory of each user. So for example user 'A' will have SEC_DIR as /home/A/dev/sec_dir. Inside this decrypt.sh will be placed.

Improve this question
7
  • 1
    Apparently the result of eval $( /home/scripts/decrypt.sh /home/scripts/callouter.enc ) is like putting all your script's code into a single line. What's the purpose of this encryption? Hiding the hard-coded password in callouter.sh by using a hard-coded password in decrypt.sh? Please edit your question to answer. Commented Jul 26, 2021 at 17:20
  • Edited the question as suggested. Commented Jul 26, 2021 at 21:49
  • Why don't you restrict the access to the script callouter.sh to the user who is allowed to acess the database in the same way as you plan to do for the decrypt.sh script? Or add the login to callscript.sql script and restrict the access to callscript.sql in a similar way? Commented Jul 27, 2021 at 7:14
  • We are doing that too. But few Project Managers also do not want Oracle schema username n password as it's not SOX compliant. So we are doing this to comply with such policies. Commented Jul 27, 2021 at 7:19
  • Please add all clarification or requested information to the question by editing it. Commented Jul 27, 2021 at 7:32

1 Answer 1

Reset to default
1

In general I do not recommend your approach of hiding a password by encrypting it using a second password. This does not add any real protection, only a bit more work to get the password.

In any case, everyone who can read both the encrypted data and the script decrypt.sh with its embedded decryption password can get the cleartext data.

Anyway, here is a possible solution:

1. Instead of encrypting a script with embedded login data I suggest to encrypt a file that contains only the login data as text.

Example:

login.txt

scott/tiger

Encrypt in the same way:

openssl enc -e -aes-256-cbc -salt -a -in login.txt -out login.enc -pass pass:W3lc0m3987

Use the decryption in your script callscript.sh, e.g.

sqlplus -S "$( /home/scripts/decrypt.sh login.enc )" @/home/scripts/callscript.sql

2. Another option based on your approach might be

/home/scripts/decrypt.sh /home/scripts/callouter.enc | /bin/bash

(Replace /bin/bash with the shell you want to use.)

The error export: `something': not a valid identifier results from using $( ... ) without quotes. Example:

$ printf "a\nb\nc\n"
a
b
c

$ echo x$(printf "a\nb\nc\n")y
xa b cy

$ echo x"$(printf "a\nb\nc\n")"y
xa
b
cy

3. This means you could also use

eval "$( /home/scripts/decrypt.sh /home/scripts/callouter.enc )"

From the 3 proposed solutions I recommend the solution 1 as the least evil. Solution 1 passes the output of your command as an argument to sqlplus while 2 and 3 execute the command's output by a shell which is a higher security risk.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

The last code worked like a charm. Guess I should not have used eval in the new script I wrote. I thought I had eval pinned down. Damn! Gotta read upon eval now. But thanks for the solution. I have marked it as answer.
One burning question : Why is the script throwing "not a valid identifier" message when eval comes into picture?

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.