Re: [Nagios-devel] Need a way to prevent custom object variables
Posted: Tue Jan 02, 2007 7:21 pm
John Rouillard wrote:
> In message ,
> Ethan Galstad writes:
>
>> [email protected] (John Rouillard) wrote:
>>> In message ,
>>> Joerg Linge writes:
>>>
>>>> Am Freitag, 29. Dezember 2006 18:36 schrieb [email protected]:
>>>>> Hi all:
>>>> [...]
>>>>> It also mentions that custom object vars are available as
>>>>> environmental variables. Is there a way to turn that off? I.E. if the
>>>>> variable was a password you don't want that being passed in the
>>>>> environment where it is viewable by everybody.
>>>> The ENV Vars are only available for new processes forked by the Nagios
>>>> Daemon.
>>>> So the vars are not available for everybody.
>>> Using ps I can dump the environment of any/all processes by default
>>> under linux (ps -auxew for example), so unless you are running a
>>> security enhanced linux that restricts that, any user on the system
>>> can see the environment including passwords.
>> Hmmm... I hadn't thought about this issue. There's really not an
>> easy/efficient way to prevent just a few custom vars from being added as
>> environment vars. Perhaps a different naming convention for some custom
>> vars?
>
> That could work. Maybe a trailing _ in the name or something prevents
> it from being created as an environment variable.
>
> Still have the problem of how to make the custom variable useful
> though since it can't be on the command line for the same reason.
>
> -- rouilj
> John Rouillard
Yeah, probably the only safe way to do it would be to pass the name of a
file (which contains the password, etc. and is locked down) to the
command that's being run. As you noted, command lines and environment
vars are viewable by other processes/people.
Ethan Galstad,
Nagios Developer
---
Email: [email protected]
Website: http://www.nagios.org
This post was automatically imported from historical nagios-devel mailing list archives
Original poster: [email protected]
> In message ,
> Ethan Galstad writes:
>
>> [email protected] (John Rouillard) wrote:
>>> In message ,
>>> Joerg Linge writes:
>>>
>>>> Am Freitag, 29. Dezember 2006 18:36 schrieb [email protected]:
>>>>> Hi all:
>>>> [...]
>>>>> It also mentions that custom object vars are available as
>>>>> environmental variables. Is there a way to turn that off? I.E. if the
>>>>> variable was a password you don't want that being passed in the
>>>>> environment where it is viewable by everybody.
>>>> The ENV Vars are only available for new processes forked by the Nagios
>>>> Daemon.
>>>> So the vars are not available for everybody.
>>> Using ps I can dump the environment of any/all processes by default
>>> under linux (ps -auxew for example), so unless you are running a
>>> security enhanced linux that restricts that, any user on the system
>>> can see the environment including passwords.
>> Hmmm... I hadn't thought about this issue. There's really not an
>> easy/efficient way to prevent just a few custom vars from being added as
>> environment vars. Perhaps a different naming convention for some custom
>> vars?
>
> That could work. Maybe a trailing _ in the name or something prevents
> it from being created as an environment variable.
>
> Still have the problem of how to make the custom variable useful
> though since it can't be on the command line for the same reason.
>
> -- rouilj
> John Rouillard
Yeah, probably the only safe way to do it would be to pass the name of a
file (which contains the password, etc. and is locked down) to the
command that's being run. As you noted, command lines and environment
vars are viewable by other processes/people.
Ethan Galstad,
Nagios Developer
---
Email: [email protected]
Website: http://www.nagios.org
This post was automatically imported from historical nagios-devel mailing list archives
Original poster: [email protected]