On Thu, Feb 14, 2008 at 09:05:16PM +0100, Ivan Garcia Sainz-Aja wrote: > is it posible reading the password form an operating system env > variable, can it be configured from an environment variable set at > startup That might be a terrible idea, depending on your OS. On Linux, for example, with the proc filesystem mounted, you can go to /proc/NNNN/env and read the environment of process NNNN easily. Ultimately, unless your password is typed in by an operator at startup time, there must be at least one unencrypted password somewhere on the server, and for that filesystem protections are your only help. If your configuration files are properly protected, anyone who can read the password out of them already has root access, and if that person isn't trusted then you have a much bigger problem than one password being stolen. For this reason, I usually just take any password off the private key and make sure that its filesystem protection is adequate. If you're handling money or state secrets, you really should just ask your auditors what to do, because if you come up with any method they haven't already approved then your system will fail its next audit. -- Mark H. Wood, Lead System Programmer mwood@xxxxxxxxx Typically when a software vendor says that a product is "intuitive" he means the exact opposite.
Attachment:
pgp6u7oho7f8c.pgp
Description: PGP signature
|