Linux security advice (Plain text password in a script)

I'm attempting to automate a portion of my email. Part of that involves a few scripts reaching into my email and extracting files. In order to do this I have to store my passwords in my scripts. So how to do this securely?

Advice is appreciated.

1 Like

proper rwx is the key. only the program and anything that needs access to it should have access. everything else should not even be able to rwx inside the dir.

1 Like

what email client?

So for example, making the dir and file 100? That way the user can run it, but only root can read the contents?

think so.

so if program x wants to read the file and only program y can access it then program x is denied access to keep the password protected.

also keep it self contained so someone cant edit a script outside the dir to gain access to it.

@Eden can with the specifics.

Basically a script will download a file from a folder in my email. I'd like to cron it. Therefore my password needs to be in it.

If you make it readable only by the program that needs it and root then it's going to be secure enough. If someone has root access or access to user which the email server runs as they can already read your emails.


At this point I'm going to chmod 100 the file - that way my user can execute it but only root can read it. If someone has compromised root - I'm in worse shape than if they can see my pw.

Let's say you have a python function (running on local machine) that logs into your email and downloads your email (from an email server). One of the arguments is your password. If I hash and salt my password - will the function fail because it's hashed and not the actual pw?

If you compare the two hashed and salted passwords you can determine if it they are the same, so you're granted access.

You can also safely store the password in an encrypted file too. And let the code decrypt the file and retrieve it.

Let me make sure I got this:

I take my password and hash it into an encrypted file. Then, from my script, I need to read that value from that encrypted file into my script and store it as a variable and pass that into the function which validates me to my email?

That's the idea. You have to check if the mail server allows this kind of authentication. What mail server are you using?


Ohh so you don't have your own mail server. Zimbra is something like gmail, and they provide APIs to access the email?

It's not mine, but it's my organizations - we have our own servers. I can get to it with procmail - but I think a language like python might be better for more comprehensive logic.

Answering myself. No.

So what's your current approach to login to your email? How do you authenticate?