Le 24/07/2012 18:09, Michael Orlitzky a écrit :
> We store our virtual_foo_maps in,
>
> /etc/posfix/maps/virtual_foo_maps.pgsql
>
> and so the (read-only) database credentials are visible in that file.
> I'd like to tighten this up if possible, but I don't want to do anything
> stupid.
>
> If I'm not going about this all wrong, what can I do to prevent e.g. SSH
> users from reading the DB credentials? Ideally, I'd also like to prevent
> them from reading the rest of the maps, which contain lists of
> addresses, clients, etc.
>
map_directory = /var/db/postmap
cidr = cidr:${map_directory}/cidr
db = ${db_type}:${map_directory}/${db_type}
map_directory = /var/db/postmap
regex = ${regex_type}:${map_directory}/${regex_type}
sql = ${sql_type}:${map_directory}/${sql_type}
...
ls -l /var/db/
...
drwxr-x--- 9 root postfix 512 Feb 10 2011 postmap/
...
note that I prefer
/somedir/pgsql/foo_map
over
/somedir/foo_map.pgsql
this is because I can do
db_type=mysql
foo_map=${db_type}:/somedir/${db_type}/foo_map
