Perl Scripts
Some handy perl scripts that I wrote and use quite often. They might be of use.
passwdutil.pl
This script can be used to create a password file and store passwords in it for later use, like a simple password manager. I wrote this as an aid for the netsaint plugin, so that I could provide netsaint with passwords for different oracle databases without having to store them in plain text on the file system. The encoding done by this program is pretty trivial though, and care should still be taken that the password file cannot easily end up in the wrong hands.
Password encoding uses the logged-on user's group or another group, which can be passed-in by the user. To enhance security (...) I disallow a user-specified group unless the logged-on user is a member. This could enhance security if a tghtly-guarded group is used, such as root, wheel or dba. The intruder will have to crack a user account (on unix only) first, before having a go at decoding a password. Encoding is with CBC. Depends on Crypt::CBC and TVL::SysTools.
Usage:
passwdutil.pl -{c|l} [-f <password file>] [-g|G <numeric group id>] [username [password]]
passwdutil.pl [-f <password file>] [-g|G <numeric group id>] [username [password]]
| -c | : | create or update password file |
| -l | : | retrieve a password |
| -g | : | use default group for access rather than user |
| -G | : | use group <numeric group id> for access. The user must be a member of this group. The gid must be passed as a number. |
| -f | : | use <password file> instead of the default ${passwordFile} |
| username | : | name of the user whose password is to be stored/retrieved |
| password | : | password for this user |
A simple program to store and retreive passwords, mainly intended for use in shell scripts. When neither options 'c' or 'l' are passed, the utility will perform a basic authentication against the default password file, which is ${passwordFile}. The program will prompt for username and password if any are not passed on the command line.
The passwords are stored in an MD5 encrypted format. The user's uid is taken into account, unless the -g or -G switches are passed, in which case the gid is used. Passwords stored with a gid will be readable for all users who are members of that group. Passwords stored with the uid are readable only for the user.
A potential vulnerability exists here, where a uid also exists as a gid. In that case, if the uid of the stored password is known, and the user requesting the password belongs to the group with that same id, the password will be shown.
Exit codes:
- 0 - authenticated, normal completion.
- 1 - authentication failed, error occurred.
oralist.pl
Tihs is a query utility for Oracle databases. It can dump an
entire table or perform a query and test connectivity. It may
be used as a Netsaint plugin. It depends on the DBI and the
DBD::Oracle.
The three purposes are:
- check if database is open & connect is possible
- export data returned from an arbitraty statement or an entire database table into a .csv file. The output file is by default called ${outName}.csv and placed in ${tempdir}, but this can be changed.
- use as a plugin for netsaint. This implies: 1 line of output and Netsaint
usable exit codes:
0 - OK : The plugin was able to check the service and it appeared to be functioning properly 1 - Warning : The plugin was able to check the service, but it appeared to be above some "warning" threshold or did not appear to be working properly -1 - Unknown : Invalid command line arguments were supplied to the plugin or the plugin was unable to check the status of the given hosts/service 2 - Critical : The plugin detected that either the service was not running or it was above some "critical" threshold
synopsis:
oralist.pl [-q] [-n] [-l] [-d [-d [..]]] [-c 'user{/password}{\@SID}']
[-h hostname] [-t tablename|-f filename]
[-o filename] [-s <separator string> ] [statement]
oralist.pl [-x] [-n] [-q [-q]] [-d [-d [..]]] [-c 'user{/password}{\@SID}']
[-h hostname] [-s <separator string> ]
options:
| -c |
specify connect string
|
|||||||||
| -d | produce debug information. Specifying multiple times increases the trace level for the DBI module. Level 4 and above produce lots of cryptic information. | |||||||||
| -f, --sql-file | specify a file containing an sql select statement. | |||||||||
| -h, --help | print this message | |||||||||
| -H, --host | specify a hostname to connect to (don't use tnsnames.ora) | |||||||||
| -l, --stdout | output to screen, rather than a file. Overrides -o. | |||||||||
| -n, --netsaint | create netsaint plugin API output on STDOUT, implies -l and '-q -q' . | |||||||||
| -o, --outfile | specify the output file. Default: ${tempdir}/${outName}.csv | |||||||||
| -q | quiet, don't produce soothing output specifying database. To suppress error messages as well, specify twice. | |||||||||
| -s, --separator | the separator to print after each field, when printing to screen. has no effect when output is a file. Defaults to a tab (\\t). | |||||||||
| -t | specify a table name for a full listing; mutually exclusive with -f | |||||||||
| -x, --test | connect and exit right away. Useful to see if a database is open for business.f, l, t, o and statement are meaningless in conjuction with x. | |||||||||
| statement | SQL SELECT statement to be executed. Takes preference over -f and -t options. |
ldaplist.pl
A query tool for LDAP databases. I use this tool only on one database, which is why the database server, port and baseDN are hard-coded. Feel free to implement them as an option. Before you use it, change the 4 constants in the top of the script. This is the only configuration. A Usage message is printed if the tool is run without arguments - it is also at the end of this script if you prefer. The script depends on Net::LDAPapi and TVL::SysTools.
Usage:
ldaplist.pl -l {attribute-to-list[,another-attribute[,..]]} \
[-s {search filter}] [-b {extra baseDN}] [-u {username}]
Performs an LDAP search on server LDAPSERVER, port LDAPSERVERPORT , and lists the results to STDOUT,
as records of the format:
<DN>:
===============
<listattribute>: <value>
Options:
| -l | : | Required: one or more attributes to list (comma separated). No default |
| -s | : | Additional search filter enclosed in parenthesis, eg '(cn=wild*)'. Defaults to LDAPSEARCHLIMITS |
| -b | : | Additional base DN attribute, e.g. 'ou=group'. Defaults to LDAPBASEDN |
| -u | : | Username for an authenticated LDAP search. Default is an anonymous bind |