Le 24/07/2012 18:09, Michael Orlitzky a écrit : > We store our virtual_foo_maps in, > > /etc/posfix/maps/virtual_foo_maps.pgsql > > and so the (read-only) database credentials are visible in that file. > I'd like to tighten this up if possible, but I don't want to do anything > stupid. > > If I'm not going about this all wrong, what can I do to prevent e.g. SSH > users from reading the DB credentials? Ideally, I'd also like to prevent > them from reading the rest of the maps, which contain lists of > addresses, clients, etc. >
map_directory = /var/db/postmap cidr = cidr:${map_directory}/cidr db = ${db_type}:${map_directory}/${db_type} map_directory = /var/db/postmap regex = ${regex_type}:${map_directory}/${regex_type} sql = ${sql_type}:${map_directory}/${sql_type} ... ls -l /var/db/ ... drwxr-x--- 9 root postfix 512 Feb 10 2011 postmap/ ... note that I prefer /somedir/pgsql/foo_map over /somedir/foo_map.pgsql this is because I can do db_type=mysql foo_map=${db_type}:/somedir/${db_type}/foo_map