Is there a way to stop puppetd from logging the command line arguments passed to an Exec() ? I need to pass sensitive options, ie passwords, on the command line, and don''t want them to appear in log files. Doug. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04/24/2010 01:02 AM, Douglas Garstang wrote:> Is there a way to stop puppetd from logging the command line arguments > passed to an Exec() ? > > I need to pass sensitive options, ie passwords, on the command line, > and don''t want them to appear in log files.imho not yet*. cheers pete * i think it''s reasonable to file a bug for this. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkvSKtgACgkQbwltcAfKi3+FygCeL0WbzqaQP1LMohk3DdVNuFcG 9YgAoLWRxiVMMzq6QmpNgys6f5MxfI9b =0VsX -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Fri, Apr 23, 2010 at 4:02 PM, Douglas Garstang <doug.garstang@gmail.com>wrote:> Is there a way to stop puppetd from logging the command line arguments > passed to an Exec() ? > > I need to pass sensitive options, ie passwords, on the command line, > and don''t want them to appear in log files. >You know they''ll still appear in the catalog ?> > Doug. > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com> > . > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > >-- nigel -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Hey Douglas, Douglas Garstang wrote:> I need to pass sensitive options, ie passwords, on the command line, > and don''t want them to appear in log files.I work around this by storing passwords in scripts distributed by File{} resources that are mode 400 to root and then Exec''ing the script. That way, all the log/catalog sees is the script being run, but not the actual password itself. Though, if someone has permission to read /var/log/messages, then they can probably also read root scripts, so YMMV. cYa, Avi -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Avi Miller <avi.miller@gmail.com> writes:> Douglas Garstang wrote: > >> I need to pass sensitive options, ie passwords, on the command line, >> and don''t want them to appear in log files. > > I work around this by storing passwords in scripts distributed by File{} > resources that are mode 400 to root and then Exec''ing the script. That way, > all the log/catalog sees is the script being run, but not the actual > password itself.That still exposes it to anyone on the machine at all[1], since they can read it from the command line of the running process; the same is true of putting it in the environment. You really want the process to read it from a secure file, or to wrap it in expect or something, if you don''t trust local users.[2]> Though, if someone has permission to read /var/log/messages, then they can > probably also read root scripts, so YMMV.I was going to say the same thing, then I thought about the number of places that ship logs to something: a puppet dashboard, a central logging server, or somewhere similar, from which you have less control over this data. Daniel Footnotes: [1] ...by default; appropriate SELinux rules might be able to restrict this, I guess, but I don''t know for sure. [2] ...which, of course, you shouldn''t, because doing that turns a remote any-user-account exploit into ownership of a second account, perhaps root, and so on. -- ✣ Daniel Pittman ✉ daniel@rimspace.net ☎ +61 401 155 707 ♽ made with 100 percent post-consumer electrons -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Am 24.04.2010 01:02, schrieb Douglas Garstang:> I need to pass sensitive options, ie passwords, on the command line, > and don''t want them to appear in log files.I think doing so is generally a bad idea. Command line arguments are world-readable from the process list. Better put the sensitive parameters into a config file with reasonable permissions. Christian -- Dipl.-Inf. Christian Kauhaus <>< · mail/jabber: kc@gocept.com gocept gmbh & co. kg · forsterstraße 29 · 06112 halle (saale) · germany http://gocept.com · tel +49 345 1229889 11 · fax +49 345 1229889 1 Zope and Plone consulting and development -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Apr 24, 2010, at 3:26 AM, Christian Kauhaus wrote:> Am 24.04.2010 01:02, schrieb Douglas Garstang: >> I need to pass sensitive options, ie passwords, on the command line, >> and don''t want them to appear in log files. > > I think doing so is generally a bad idea. Command line arguments are > world-readable from the process list. Better put the sensitive parameters > into a config file with reasonable permissions. > > Christian >To expand on this, most command-line programs that take sensitive parameters will also take a file with the parameters so you don''t have to expose them to the world. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.