[Nagios-devel] Need a way to prevent custom object variables (e.g. password) from going into environment

Ethan Galstad nagios at nagios.org
Wed Jan 3 03:21:12 UTC 2007


John Rouillard wrote:
> In message <459AF58D.2060202 at nagios.org>,
> Ethan Galstad writes:
> 
>> rouilj+nagiosdev at cs.umb.edu (John Rouillard) wrote:
>>> In message <200612292131.36963.pitchfork at ederdrom.de>,
>>> Joerg Linge writes:
>>>
>>>> Am Freitag, 29. Dezember 2006 18:36 schrieb rouilj+nagiosdev at cs.umb.edu:
>>>>> Hi all:
>>>> [...]
>>>>> It also mentions that custom object vars are available as
>>>>> environmental variables. Is there a way to turn that off? I.E. if the
>>>>> variable was a password you don't want that being passed in the
>>>>> environment where it is viewable by everybody.
>>>> The ENV Vars are only available for new processes forked by the Nagios
>>>> Daemon.
>>>> So the vars are not available for everybody.
>>> Using ps I can dump the environment of any/all processes by default
>>> under linux (ps -auxew for example), so unless you are running a
>>> security enhanced linux that restricts that, any user on the system
>>> can see the environment including passwords.
>> Hmmm... I hadn't thought about this issue.  There's really not an 
>> easy/efficient way to prevent just a few custom vars from being added as 
>> environment vars.  Perhaps a different naming convention for some custom 
>> vars?
> 
> That could work. Maybe a trailing _ in the name or something prevents
> it from being created as an environment variable.
> 
> Still have the problem of how to make the custom variable useful
> though since it can't be on the command line for the same reason.
> 
> 				-- rouilj
> John Rouillard

Yeah, probably the only safe way to do it would be to pass the name of a 
file (which contains the password, etc. and is locked down) to the 
command that's being run.  As you noted, command lines and environment 
vars are viewable by other processes/people.


Ethan Galstad,
Nagios Developer
---
Email: nagios at nagios.org
Website: http://www.nagios.org




More information about the Nagios-devel mailing list