Secure script parameters?

alexjdale
Valued Contributor III

Has anyone found a way to run a script via the JSS with secure parameters? For example, if I want a script to make some API calls, I need to keep the account credentials obscured from the user. As it is now, the parameters for a script are visible via "ps -e" while it is running.

Edit: I am using bash, is there another language/shell I can use that would not display parameters?

4 REPLIES 4

Snickasaurus
Contributor

Bump, for curiosity. And thanks for the tip of "ps -e". I was unaware of this.

jarednichols
Honored Contributor

If you create a quick add package with the account you want to use, the script in that package will have the hash of the account password. Unless something's changed recently, you can safely use that in your script and the JSS will use the hashed password.

mm2270
Legendary Contributor III

Im not certain if this would help in this case, but I'll just post it anyway in case you haven't seen it - https://github.com/jamfit/Encrypted-Script-Parameters

alexjdale
Valued Contributor III

Yeah, I ended up doing something similar on my own with openssl and aes-256 encrypting the parameters with a salt embedded in the script. Of course, the "ps -e" command shows the path of the script it is executing in addition to the parameters, so a sufficiently-motivated user with admin rights could capture the script and the decryption salt and reverse-engineer everything.

It's incredibly unlikely, but at the end of the day it's "security through obscurity" which I don't like, but I don't think I can come up with anything better due to the way the OS functions.