I am building a suite of batch jobs that require regular access to a database, running on a Solaris 10 machine. Because of (unchangable) design constraints, we are required use a certain program to connect to it. Said interface requires us to pass a plain-text password over a command line to connect to the database. This is a terrible security practice, but we are stuck with it.

I am trying to make sure things are properly secured on our end. Since the processing is automated (ie, we can't prompt for a password), and I can't store anything outside the disk, I need a strategy for storing our password securely.

Here are some basic rules

1. The system has multiple users.
2. We can assume that our permissions are properly enforced (ie, if a file with a is chmod'd to 600, it won't be publically readable)
3. I don't mind anyone with superuser access looking at our stored password

Here is what i've got so far

• Store password in password.txt
• $chmod 600 password.txt
• Process reads from password.txt when it's needed
• Buffer overwritten with zeros when it's no longer needed

Although I'm sure there is a better way.