[Nagios-devel] Need a way to prevent custom object variables (e.g. password) from going into environment
nagios at nagios.org
Wed Jan 3 03:21:12 UTC 2007
John Rouillard wrote:
> In message <459AF58D.2060202 at nagios.org>,
> Ethan Galstad writes:
>> rouilj+nagiosdev at cs.umb.edu (John Rouillard) wrote:
>>> In message <200612292131.36963.pitchfork at ederdrom.de>,
>>> Joerg Linge writes:
>>>> Am Freitag, 29. Dezember 2006 18:36 schrieb rouilj+nagiosdev at cs.umb.edu:
>>>>> Hi all:
>>>>> It also mentions that custom object vars are available as
>>>>> environmental variables. Is there a way to turn that off? I.E. if the
>>>>> variable was a password you don't want that being passed in the
>>>>> environment where it is viewable by everybody.
>>>> The ENV Vars are only available for new processes forked by the Nagios
>>>> So the vars are not available for everybody.
>>> Using ps I can dump the environment of any/all processes by default
>>> under linux (ps -auxew for example), so unless you are running a
>>> security enhanced linux that restricts that, any user on the system
>>> can see the environment including passwords.
>> Hmmm... I hadn't thought about this issue. There's really not an
>> easy/efficient way to prevent just a few custom vars from being added as
>> environment vars. Perhaps a different naming convention for some custom
> That could work. Maybe a trailing _ in the name or something prevents
> it from being created as an environment variable.
> Still have the problem of how to make the custom variable useful
> though since it can't be on the command line for the same reason.
> -- rouilj
> John Rouillard
Yeah, probably the only safe way to do it would be to pass the name of a
file (which contains the password, etc. and is locked down) to the
command that's being run. As you noted, command lines and environment
vars are viewable by other processes/people.
Email: nagios at nagios.org
More information about the Nagios-devel