Announcement

Collapse
No announcement yet.

Securing an INI file

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Securing an INI file

    I have built a number of PB applications in the past that read in parameters
    from an INI file. One such parameter is a user name and password to access a database.
    My users now require that i supply security restrictions to this ini file.
    Using Windows NT, all i could think of was to give just execute permissions to the ini
    file so that users couldn't read it. This, unfortunately, doesn't allow my application
    to read from the ini file. Doeas anybody have any ideas how to secure the ini file, i.e. so that
    it cannot be read by everybody but allows everybody to run my application!

    Ideas Appreciated!

    Danny

    ------------------

  • #2
    What "security restrictions" are they requiring? It is windows, right? Windows 9x, me don't really give you any security and NT requires NTFS to have any chance of security. I don't think INI files are a good choice for passwords. An encrypted configuration file or encrypted binary data in the registry would be fine, too.

    Do they want passwords secured? You could hash the sensitive data into hex "bytes" or perhaps encrypt it and store it in the registry.
    When a user types in the name and password, that data's hash is compared with the hashed data saved in the INI file or registry or configuration file.

    Personally, I think an INI file is BAD for this use.
    [PROGRAM STUFF]
    Username=Joe Johnson
    Password=5FED7A03EF9FEB

    Comment


    • #3
      If you could save the values in the registry, maybe you could you use the RegSetKeySecurity call?



      ------------------
      Best Regards
      Peter Scheutz
      Best Regards
      Peter Scheutz

      Comment


      • #4
        Im avoiding saving data in the registry in my apps from now on and am reverting back to .ini's, a lot of people log in to Windows without registry write access so unless your app knows how to handle that, you may have unexpected errors


        ------------------
        -

        Comment


        • #5
          Yes, Ron, it is Windows NT using NTFS.

          I agree it isn't the cleverest of solutions to put a database username and password
          in an ini file however it does simplfy things drastically doing it this way!

          I guess what i could do is write another application that encrypts the password, enter
          that encrypted password into the ini file and then build the decrypter into my application.

          Danny

          ------------------

          Comment


          • #6
            Danny,

            Just use the sample CRC32 code which is posted in the source
            code fourm. Change the Key's in your INI file to something else
            other than:

            UserName
            Password

            Try:

            Config00
            Config01

            and then Leave UserName and Password blank in the ini file.

            So you will have this:

            [main]
            UserName=
            Password=
            Config00=AABB
            Config01=AADD

            Hope that works.

            ------------------
            -Greg
            -Greg
            [email protected]
            MCP,MCSA,MCSE,MCSD

            Comment


            • #7
              Originally posted by danny greenwood:
              Yes, Ron, it is Windows NT using NTFS.
              Why don't you use the NTFS Streams to hide the entire ini file?



              ------------------
              E-Mail (home): mailto:[email protected][email protected]</A>
              E-Mail (work): mailto:[email protected][email protected]</A>

              Comment


              • #8
                How do you do that Sven, never played with Streams before!

                ------------------

                Comment


                • #9
                  originally posted by danny greenwood:
                  how do you do that sven, never played with streams before!
                  http://www.powerbasic.com/support/pb...ead.php?t=3628

                  hide an ini with the real password & username "under" a ini with fake data

                  ------------------
                  e-mail (home): mailto:[email protected][email protected]</a>
                  e-mail (work): mailto:[email protected][email protected]</a>

                  [this message has been edited by sven blumenstein (edited august 03, 2001).]

                  Comment


                  • #10
                    Streams are virtually the same as normal files in the way they are read/written, for example:
                    Code:
                    OPEN "C:\myfile.txt" FOR OUTPUT AS #1
                     PRINT #1, "Normal file"
                    CLOSE #1
                    OPEN "C:\myfile.txt:mystream" FOR OUTPUT AS #1
                     PRINT #1, "Stream file"
                    CLOSE #1
                    but there's a few quirks... DIR$("c:\myfile.txt:mystream") will fail even if the stream file exists, as streams can't be "seen" as normal files. You typically can't see stream files without specialist utilities (source for one has been generously posted here by Florent Heyworth), but you can read/write to them as if they were normal files.
                    Streams are available on NTFS only, not FAT. NTFS support was added for Macintosh file support, where files have 'resource forks'.
                    Also, if drive C doesn't support streams, don't assume that the other drives don't support it - on one system here, streams are available only on drive D which is the only NTFS drive in that system

                    As an interesting sidenote, several webservers including earlier versions of IIS were vulnerable to a stream exploit. When you read the ":$DATA" stream of a file, you're effectively reading the main file contents, so c:\autoexec.bat:$DATA reads from c:\autoexec.bat
                    When going to a URL such as http://www.victim.com/default.asp::$DATA, the default.asp file could be downloaded rather than it being processed/executed as a CGI as you werent requesting a file of the ".asp" extension. This was fixed a long time ago in most webservers so it's not something you'll easily be able to exploit, but certainly an issue to be aware of!

                    Best regards,
                    Wayne


                    [This message has been edited by Wayne Diamond (edited August 03, 2001).]
                    -

                    Comment


                    • #11
                      OK. I understand the priciple of Streams now - thank guys! BUT, how do i
                      open the stream file eg d:\afile.ini:stream1 using the operating system (NT).
                      You cannot just double click on it and i cannot open it from the run command
                      either! If i cannot open, it how can i edit it?! i must be mis-understanding
                      something fundamental here!

                      Powerbasic code can open them using the ads-test application.

                      Danny

                      ------------------

                      Comment


                      • #12
                        What I normally do is use an internal key, a hexidecimal equivelant etc...
                        Encrypt the username and password and then change to hex value, virtually undecipherable by anybody except the app with the key.
                        I can give you the source if you like, take you 5 minutes to implement it.


                        [email protected]

                        Scott

                        ------------------
                        Scott
                        Scott Turchin
                        MCSE, MCP+I
                        http://www.tngbbs.com
                        ----------------------
                        True Karate-do is this: that in daily life, one's mind and body be trained and developed in a spirit of humility; and that in critical times, one be devoted utterly to the cause of justice. -Gichin Funakoshi

                        Comment


                        • #13
                          Scott,

                          I'd be interested in seeing the source code. If you dont want to post it here
                          could you mail it to me at: [email protected]

                          Thanks


                          Danny

                          ------------------

                          Comment


                          • #14
                            BUT, how do i open the stream file eg d:\afile.ini:stream1 using the operating system (NT).
                            You cannot just double click on it and i cannot open it from the run command
                            either! If i cannot open, it how can i edit it?!
                            Danny, you can't use programs such as Explorer or the command prompt to 'view' files as such, because streams aren't shown as files, because technically they're not, they're "resource/data forks", but thats the beauty of streams, it keeps data hidden from most users - a lot of people dont even know about streams.
                            Programs that check if a file exists before opening will typically not support streams. For example:
                            Code:
                            sFile$ = "c:\testfile.txt:mystream"
                            If Dir$(sFile$) = "" Then
                               Msgbox "File doesnt exist"
                            Else
                               Msgbox "File exists"
                            End If
                            That will ALWAYS say "File doesnt exist" even if c:\testfile.txt:mystream exists.
                            Notepad will let you view streams... from Windows, go Start | Run | notepad.exe c:\testfile.txt:mystream
                            Notepad will load and ask you if you want to create a new file - choose Yes. Type in "Thanks Wayne, what postal address can I send you a bottle of bourbon?", and Save that (Alt+F | S), and close down Notepad.
                            Now start Notepad again from Start | Run exactly as you did before, and wallah! - you'll be reading the stream file.


                            ------------------
                            -

                            Comment


                            • #15
                              Hey this is cool!
                              Under Win2k however, I see a zero byte file, double click it, nothing, run notepad with the stream name and walah...


                              So how could one lock the file even if hte program is not running so that it cannot be deleted?

                              ------------------
                              Scott
                              Scott Turchin
                              MCSE, MCP+I
                              http://www.tngbbs.com
                              ----------------------
                              True Karate-do is this: that in daily life, one's mind and body be trained and developed in a spirit of humility; and that in critical times, one be devoted utterly to the cause of justice. -Gichin Funakoshi

                              Comment


                              • #16
                                Scott, if you create the stream "c:\file.txt:mystream", and c:\file.txt doesnt exist, c:\file.txt will be created as a 0-byte file -- the stream needs something to cling onto. If you delete that 0-byte file, you delete the stream also
                                Not sure what you mean about locking sorry?
                                Have a good weekend



                                ------------------
                                -

                                Comment


                                • #17
                                  walah...
                                  It's "V-O-I-L-A" not "W-A-L-A-H"

                                  Sheesh, and I thought I was the one with the disadvantaged ethnicity....

                                  MCM
                                  (ethnic Milwaukeean)


                                  Michael Mattias
                                  Tal Systems Inc. (retired)
                                  Racine WI USA
                                  [email protected]
                                  http://www.talsystems.com

                                  Comment


                                  • #18
                                    Walah, voila, same dog different leg action ... what does ethnicity have to do with anything? Australia is a free multi-cultural society where you can make typographical errors and enjoy it - I was born in Perth and my parents were born in eastern Australia, but I could be a migrant for all you know! lets not bring race/religion etc onto this forum
                                    Anyway, have a good weekend


                                    ------------------
                                    -

                                    Comment


                                    • #19
                                      Who's Viola?

                                      ------------------
                                      Scott
                                      Scott Turchin
                                      MCSE, MCP+I
                                      http://www.tngbbs.com
                                      ----------------------
                                      True Karate-do is this: that in daily life, one's mind and body be trained and developed in a spirit of humility; and that in critical times, one be devoted utterly to the cause of justice. -Gichin Funakoshi

                                      Comment


                                      • #20
                                        Lets not bring dyslexia or women into it either <grin>


                                        ------------------
                                        -

                                        Comment

                                        Working...
                                        X