Avi Miller <avi.mil...@gmail.com> writes: > Douglas Garstang wrote: > >> I need to pass sensitive options, ie passwords, on the command line, >> and don't want them to appear in log files. > > I work around this by storing passwords in scripts distributed by File{} > resources that are mode 400 to root and then Exec'ing the script. That way, > all the log/catalog sees is the script being run, but not the actual > password itself.
That still exposes it to anyone on the machine at all[1], since they can read it from the command line of the running process; the same is true of putting it in the environment. You really want the process to read it from a secure file, or to wrap it in expect or something, if you don't trust local users.[2] > Though, if someone has permission to read /var/log/messages, then they can > probably also read root scripts, so YMMV. I was going to say the same thing, then I thought about the number of places that ship logs to something: a puppet dashboard, a central logging server, or somewhere similar, from which you have less control over this data. Daniel Footnotes: [1] ...by default; appropriate SELinux rules might be able to restrict this, I guess, but I don't know for sure. [2] ...which, of course, you shouldn't, because doing that turns a remote any-user-account exploit into ownership of a second account, perhaps root, and so on. -- ✣ Daniel Pittman ✉ dan...@rimspace.net ☎ +61 401 155 707 ♽ made with 100 percent post-consumer electrons -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.