[AOLSERVER] Moving sensitive data to a startup script

Tue, 28 Oct 2003 20:33:22 -0800 

I'm not sure how this came up, but I was thinking if I have an nsd.tcl
file which contains database passwords, then that file is not safe to
show to the world. How can I get around this problem?

I use DJB's daemontools package to start/restart/stop AOLserver. It
turns out that the 'run' script needs only to be rwx by root, in
otherwords set 700, owner root.root. This is the perfect place to put
sensitive data and pass it to AOLserver via environment variables.

The reason for moving this data out of nsd.tcl is that other users may
need to view the file, but they should not be given access to the the
database passwords.

Here is an example run file:

-----
#!/bin/bash

export LD_LIBRARY_PATH=/usr/local/aolserver4/lib:/usr/local/pgsql/lib
export PATH=$PATH:/usr/local/pgsql/bin
SERVER=cams
SERVERNAME=cams
CONTROLDIR=/web/control/$SERVER
SERVERROOT=/web/$SERVER
DEBUG=true
MAILHOST=a.mx.rmadilo.com
HOSTNAME=cacti

DB_NAME=tom
DB_PASSWORD=somepassword
DATABASE=tomdb
DATABASE_TYPE=postgres
PREFIX=/usr/local/aolserver4
BIN=$PREFIX/bin/nsd
CONFIG=/web/control/cams/cams-nsd.tcl
USER=tom
GROUP=web
ADDRESS=127.0.0.0
HTTPPORT=80

HTTPBIND=${ADDRESS}:${HTTPPORT}

AOLSERVER_VARS="db_name;${DB_NAME};db_password;${DB_PASSWORD};database;${DATABASE}"
AOLSERVER_VARS="${AOLSERVER_VARS};database_type;${DATABASE_TYPE};server;${SERVER}"
AOLSERVER_VARS="${AOLSERVER_VARS};controldir;${CONTROLDIR};serverroot;${SERVERROOT}"
AOLSERVER_VARS="${AOLSERVER_VARS};debug;${DEBUG};mailhost;${MAILHOST};port;${PORT}"
AOLSERVER_VARS="${AOLSERVER_VARS};address;${ADDRESS};servername;${SERVERNAME}"
AOLSERVER_VARS="${AOLSERVER_VARS};hostname;${HOSTNAME};httpport;${HTTPPORT}"
export AOLSERVER_VARS

exec $BIN -it $CONFIG -u $USER -g $GROUP -b $HTTPBIND

-----

Then in the nsd.tcl file I run:

-----
set vars [env get -nocomplain AOLSERVER_VARS]

foreach {var value} [split $vars ";"] {

        set $var $value
}
-----

tom jackson


--
AOLserver - http://www.aolserver.com/

To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the
body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of 
your email blank.

Reply via email to