On Tue, 2004-02-10 at 03:25, Mohamed Eldesoky wrote: > > > > I imagine it will be pretty simple to just intercept the string in the > > target parsing section and do a few DB calls... But I'd hate to > > re-invent the wheel. > > That way you will store the DB user/pass somewhere in plain text, thus > someone > will look up the strings in the database. > Better to the access to the filesystem as tight as possible, and for involved > admins only. >
The cfg files have to be readable by the apache user in order for routers.cgi and mrtg-rrd.cgi to work. The cfg files have to be readable by the Big Brother user in order for bbmrtg.pl to work. All three of those tools need to see a target line in order to recognize the presence of a monitoring point, so I can't pull those out into a separate file with restricted permissions. None of those tools require an SNMP community string to function (routers.cgi can use one if you load the routing-table extension, but that's not recommended in secure environments). It would be easy to create a small file with permissions 400 that said something like: lookup*dsn: DBI:mysql:database=mrtg lookup*user: mrtg lookup*passwd: verysecretstring Include: /var/mrtg/cfg/mrtg.cfg and then point all of the other tools at mrtg.cfg But the main point of the exercise is not security. It is flexibility to change snmp community strings without re-running cfgmaker. -- Daniel J McDonald <[EMAIL PROTECTED]> Austin Energy -- Unsubscribe mailto:[EMAIL PROTECTED] Archive http://www.ee.ethz.ch/~slist/mrtg FAQ http://faq.mrtg.org Homepage http://www.mrtg.org WebAdmin http://www.ee.ethz.ch/~slist/lsg2.cgi
