3

I'm adapting some examples I've found by Googling to build an init script to run a VirtualBox OSE virtual machine as a daemon. I would like to specify a password for VNC access to the VM, and this must be given as an argument to the VBoxHeadless command.

Conventionally, init scripts are readable by standard users, and this seems like a useful convention, but I also don't want the VNC password for this VM to be stored in easily accessible plain text.

What's the most appropriate/conventional way to handle this kind of situation? Maybe put a root-readable supporting data file someplace, and have the init script load the value from there?

Steve Jorgensen
  • 229
  • 2
  • 9

2 Answers2

7

Putting a file readable only by root somewhere into /etc is a technique I've come across a few times at least in Debian (dbconfig-common does that, for example).

Sourcing a file with plain passwords belonging to root sounds like quite a good idea to me, given the fact that init runs as root and there's already a lot of sensitive files in /etc anyway (private keys for certificates being one of them).

The correct path to put such a file may vary from distribution to distribution. I'd personally prefer e.g /etc/name-of-init-script/config over any other location as /etc is a good place to put user files. Places like /var/lib should be reserved for files managed by your distribution's packet manager (or whatever they may call it) and installed software writing it's data there.

Alex
  • 538
  • 1
  • 4
  • 15
1

Yes, that is the correct way to do it. Look under /etc/sysconfig or /var/lib as places to put such a file.

Ignacio Vazquez-Abrams
  • 45,939
  • 6
  • 79
  • 84