Posted on 08-03-2015 09:12 AM
Has anyone found a way to run a script via the JSS with secure parameters? For example, if I want a script to make some API calls, I need to keep the account credentials obscured from the user. As it is now, the parameters for a script are visible via "ps -e" while it is running.
Edit: I am using bash, is there another language/shell I can use that would not display parameters?
Posted on 08-03-2015 10:05 AM
Bump, for curiosity. And thanks for the tip of "ps -e". I was unaware of this.
Posted on 08-03-2015 10:54 AM
If you create a quick add package with the account you want to use, the script in that package will have the hash of the account password. Unless something's changed recently, you can safely use that in your script and the JSS will use the hashed password.
Posted on 08-03-2015 11:15 AM
Im not certain if this would help in this case, but I'll just post it anyway in case you haven't seen it - https://github.com/jamfit/Encrypted-Script-Parameters
Posted on 08-03-2015 11:55 AM
Yeah, I ended up doing something similar on my own with openssl and aes-256 encrypting the parameters with a salt embedded in the script. Of course, the "ps -e" command shows the path of the script it is executing in addition to the parameters, so a sufficiently-motivated user with admin rights could capture the script and the decryption salt and reverse-engineer everything.
It's incredibly unlikely, but at the end of the day it's "security through obscurity" which I don't like, but I don't think I can come up with anything better due to the way the OS functions.